GOM Player use srt2smi.exe module to convert srt to smi format. However, this module has not handled well with a crafted srt file, leading to buffer overrun. This is pseudo-code :
Reference : http://security.bkis.vn/?p=501
PoC : http://security.bkis.vn/wp-content/uploads/2009/04/gom_poc.pl
vuln_function(char* srt_file) {This error is due to strcat function. Especially, srt2smi.exe is independent of the process of GOM Player. So, it crash silently and doesn’t affect GOM Player.
char src[10244];
char dest[10244];
FILE* file;
File = fopen(srt_file);
while(condition 1) {
…
src = fgets(file,10240); // index
src = fgets(file,10240); // time
src = fgets(file,10240); // content
while(condition 2) {
strcat(dest,src); // vulnerability
src = fgets(file,10240); // next content
…
}
…
}
}
Reference : http://security.bkis.vn/?p=501
PoC : http://security.bkis.vn/wp-content/uploads/2009/04/gom_poc.pl
0 comments:
Post a Comment