From: Ian G. <ia...@cy...> - 2002-05-21 20:00:16
|
On Tue, May 21, 2002 at 04:41:38PM -0300, Miguel Freitas wrote: > Hi Ian, > > Just some comments... > > - why do you call this buffer overflow as remotely exploitable? I send you a file with an audio track whose data rate is listed in the headers as being way lower than your sound card is likely to support (say 100 fps or lower). The resampling code would expand that data to match the lowest speed supported by your soundcard. By making that ratio sufficiently large, I should be able to overflow the fixed-size buffer. Once the heap overflow is accomplished, there are known ways that one might go about arranging for exploit code to run. One trickiness is that at least the bootstrap data must be the result of expanding the buffer(!), but similarly interesting restrictions on shellcode have been worked around in the past. In any event, we surely want to simply avoid the overflow. > - your oss patch looks fine, but just as curiosity: have you tried the > probebuffer method? I haven't. How does it work? > - i guess the resampling error is usually smoothed by sound card drift > correction. netherless it might improve playback of mp3 files. Yes, it might. - Ian |