|
From: | Henry Ballentine |
Subject: | Buffer Overflow in cmd_load |
Date: | Wed, 14 Aug 2019 14:23:55 +0000 |
Hello,
318 while ( epdline[i] != '\n' ) {
319 data[i+9] = epdline[i];
320 ++i;
321 printf("%d %c 0x%X\n", i, data[i+9], epdline[i]);
322 }
When parsing a valid file with no endlines in it, if the filename is too long it overflows the data buffer because the copying while loop is looking for newlines, not nulls to terminate the loop. For example, inputting:
load /path/to/input/file/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtest2
File contents:
r5k1/p1p3p1/3bqr2/3pN2p/3ppB2/P7/1P3P1Q/R3R1K1 b - - bm 1; id 1;\8Ar5kAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA… (~16Kb of A)
Results in a stack where epdline has overflown into the buffer for handling user input, the base pointer, and the return address on the stack.
[Prev in Thread] | Current Thread | [Next in Thread] |