Synopsis:
There is a possible buffer overflow exploit in the playback
of modified rm files. The issue is that size values are read from the
media, then used as the size of a memcpy command. The problem is that
this is called without checking the bounds of the call. ; If the media is
modified, the memcpy will copy more data than is actually stored, which can
potentially lead to a buffer overflow exploit. This CR is to fix the
crash that occurs in the memorycorruption2heap.rm media file linked from the
bug report.
Fix:
Need to add bounds checking when calling memcpy, making sure
the sizes read are no greater than the data allocated.
Files Modified:
rarvcode-video/payload/crvupack.cpp
Branch:
Head, Thxclient_1_2_1_neptune
Platforms and Profiles Build Verified:
Win32
Thanks,
Todd
|