Search found 2 matches
- Sat Jan 01, 2022 7:45 am
- Forum: Bug reports
- Topic: [fixed]Stack buffer overflow in MD2 Parser
- Replies: 5
- Views: 2551
Re: Stack buffer overflow in MD2 Parser
Hello again. It seems the current fix is incomplete, since frameSize is a signed int and the check can be bypassed by passing a negative value. (such as 0xFFFFFFFF) I think the check comparison should be an unsigned int comparison. Here's a proof of concept code just in case. #!/usr/bin/python3 impo...
- Sun Dec 12, 2021 7:54 am
- Forum: Bug reports
- Topic: [fixed]Stack buffer overflow in MD2 Parser
- Replies: 5
- Views: 2551
[fixed]Stack buffer overflow in MD2 Parser
I found a stack buffer overflow in the MD2 file parser (source/Irrlicht/CMD2MeshFileLoader.cpp) in the latest SVN source. This means that every version of irrlicht is vulnerable to this bug. A malformed MD2 file can be used to a game package developed on top of irrlicht and trigger arbitrary code ex...