Hello again.
It seems the current fix is incomplete, since frameSize is a signed int and the check can be bypassed by passing a negative value. (such as 0xFFFFFFFF)
I think the check comparison should be an unsigned int comparison.
Here's a proof of concept code just in case.
#!/usr/bin/python3 ...
Search found 2 matches
- Sat Jan 01, 2022 7:45 am
- Forum: Bug reports
- Topic: [fixed]Stack buffer overflow in MD2 Parser
- Replies: 5
- Views: 6398
- Sun Dec 12, 2021 7:54 am
- Forum: Bug reports
- Topic: [fixed]Stack buffer overflow in MD2 Parser
- Replies: 5
- Views: 6398
[fixed]Stack buffer overflow in MD2 Parser
I found a stack buffer overflow in the MD2 file parser (source/Irrlicht/CMD2MeshFileLoader.cpp) in the latest SVN source. This means that every version of irrlicht is vulnerable to this bug.
A malformed MD2 file can be used to a game package developed on top of irrlicht and trigger arbitrary code ...
A malformed MD2 file can be used to a game package developed on top of irrlicht and trigger arbitrary code ...