Home / vulnerabilities coolplayer215.txt
Posted on 15 December 2006
Source : packetstormsecurity.org Link
Affected software: Coolplayer (coolplayer.sourceforge.net)
Versions: <= 215
Discovered by: Mehdi Oudad and Kevin Fernandez, zone-h.fr
The coolplayer authors have been mailed through contact _at/_
daansystems. com on november 15 2005 but we never got any reply. On
november 30 2006 they published a new version that somewhat patches the
flaws.
1) A boundary error exists in the CPL_AddPrefixedFile() function of
CPI_Playlist.c :
char cFullPath[MAX_PATH];
memcpy(cFullPath, pcPlaylistFile, iPlaylist_VolumeBytes);
strcpy(cFullPath + iPlaylist_VolumeBytes, pcFilename + 1);
CPL_AddSingleFile(hPlaylist, cFullPath, pcTitle);
The program tries to put a 512 input string into a 260 buffer. This can be
exploited via a malicious playlist file containing overly long song names.
2) A boundary error exists in the main_skin_check_ini_value() function of
skin.c :
sscanf(textposition, "%s %d %d %d %d %d %d %d %d %d %[^ ]", name, &x,
&y, &w, &h, &maxw, &x2, &y2, &w2, &h2, tooltip);
It can be exploited with a skin file containing overly long button names.
3) An error in main_skin_open() of skin.c can be exploited with a skin
file containing overly long bitmap filenames.
Additionally coolplayer was using an obsolete version of the zlib library,
the changelog doesn't say it is updated.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/