Buffer Overflow Can Occur For Valid CHDs (and malicious CHDs)

rtissera / libchdr

Standalone library for reading MAME's CHDv1-v5 formats.

BSD 3-Clause "New" or "Revised" License

98 stars 42 forks source link

Buffer Overflow Can Occur For Valid CHDs (and malicious CHDs) #118

Open CasualPokePlayer opened 6 months ago

CasualPokePlayer commented 6 months ago

libchdr currently makes an assumption that any compressed hunk can fit within an uncompressed hunk. This assumption can be wrong however for completely valid CHDs, if they were created with low compression levels (as implicitly some internal compression header/footer could be present along with the possibly not very compressed data). It can also be trivially wrong for any maliciously created CHD, since the compressed hunk length is just something read from the hunk map.

rtissera commented 6 months ago

Can you pinpoint the (single or multiple) code vulnerabilities in source tree ?

CasualPokePlayer commented 6 months ago

https://github.com/rtissera/libchdr/blob/0841ba38eeaf145260371bfb045f98ef17172ae0/src/libchdr_chd.c#L2606 size is not bounds checked, chd->compressed should be reallocated accordingly if size exceeds the buffer size.