[4.10.0/3.88b] Buffer Overflow Vulnerability

Is there something that doesn't work right in the latest GZDoom? Post about it here.

Moderator: GZDoom Developers

Forum rules
Please construct and post a simple demo whenever possible for all bug reports. Please provide links to everything.

If you can include a wad demonstrating the problem, please do so. Bug reports that include fully-constructed demos have a much better chance of being investigated in a timely manner than those that don't.

Please make a new topic for every bug. Don't combine multiple bugs into a single topic. Thanks!
Posts: 1
Joined: Thu May 11, 2023 7:43 am
Preferred Pronouns: He/Him
Operating System Version (Optional): Windows 10
Graphics Processor: nVidia (Modern GZDoom)

[4.10.0/3.88b] Buffer Overflow Vulnerability

Post by Knursoft »

So i was testing gzdoom and it seems there is a buffer overflow vulnerability in a IMGZImage_TryCreate function. When it reads a magic number IMGZ, the read function checks if variables FilePos (which is wad's directory pointer to the start of the lump's data) + len (which is 4, size of magic number) is greater than StartPos (wad's directory pointer to lump's data again) + Length (size of lump in bytes) variables. If it is larger, it sets len (4 bytes) to Length - FilePos + StartPos. The problem occurs when the Length and StartPos are added in if statement. These variables are 32 bit signed integers, so they cannot exceed value 0x7fffffff, but when we add for example values 0x40000000 + 0x50000000 the result will cause the integer overflow, and it will return actually less than the FilePos + len is, causing statement to be true, and setting len variable to Length - FilePos + StartPos, which will cause the mReader->Read to actually read much more bytes than the magic buffer is capable to hold, resulting overwritting variables on stack, including the return address. This vulnerability also occurs in LZDoom in which the OpenAL32.dll library is compiled without ASLR and DEP, which makes it simpler to exploit by potential attackers.

The simplest fix for this is declaring "Length" variable in files.h:67 as unsigned long.
You do not have the required permissions to view the files attached to this post.

Return to “Bugs [GZDoom]”