Search found 2 matches

by procfs
Sat Jan 01, 2022 7:45 am
Forum: Bug reports
Topic: [fixed]Stack buffer overflow in MD2 Parser
Replies: 5
Views: 2998

Re: Stack buffer overflow in MD2 Parser

Hello again. It seems the current fix is incomplete, since frameSize is a signed int and the check can be bypassed by passing a negative value. (such as 0xFFFFFFFF) I think the check comparison should be an unsigned int comparison. Here's a proof of concept code just in case. #!/usr/bin/python3 impo...
by procfs
Sun Dec 12, 2021 7:54 am
Forum: Bug reports
Topic: [fixed]Stack buffer overflow in MD2 Parser
Replies: 5
Views: 2998

[fixed]Stack buffer overflow in MD2 Parser

I found a stack buffer overflow in the MD2 file parser (source/Irrlicht/CMD2MeshFileLoader.cpp) in the latest SVN source. This means that every version of irrlicht is vulnerable to this bug. A malformed MD2 file can be used to a game package developed on top of irrlicht and trigger arbitrary code ex...