InfoSect's Month of Pointless Bugs (#25)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #25

In the ltris game

SDL_Surface* load_surf(char *fname, int f)
    SDL_Surface *buf;
    SDL_Surface *new_sur;
    char path[ 512 ];
    SDL_PixelFormat *spf;
#ifdef USE_PNG
    char png_name[32];

#ifdef USE_PNG
    /* override file name as all graphics were changed from
    bitmap to png so the extension must be corrected */
    memset( png_name, 0, sizeof( png_name ) );
    strncpy( png_name, fname, strlen( fname ) - 4 );
    strcat( png_name, ".png" );
    get_full_bmp_path( path, png_name );
    buf = load_png( path );


The above isn't thought through very well.. using strlen(fname)-4 for the length of the copy, even though it's a fixed 32 bytes? It's probably a typo or a brain snap.

Lets see if we can find code where it's greater than 32 bytes:

Font* load_font(char *fname)
    Font    *fnt = 0;
    FILE    *file = 0;
    char    path[512];
    int     i;

    get_full_font_path( path, fname );

    fnt = malloc(sizeof(Font));
    if (fnt == 0) {
        fprintf(stderr, "load_font: not enough memory\n");

    if ((fnt->pic = load_surf(path, SDL_HWSURFACE)) == 0)

Looks like we can make it large. Hence, a buffer overflow.


Popular posts from this blog

NetBSD kernel wscons IOCTL vulnerable bug class

InfoSect's Month of Pointless Bugs (#1, #2)

InfoSect's Month of Pointless Bugs (#3)