Short description: Multiple buffer overflows in validation of external data
Related bug reports:
Patches: (sometimes more fuzz is needed to apply them)
- For version 0.3.1 up to including 0.4.0.1
- For version 0.4.5 up to including 0.4.8
- For version 0.5.0 up to including 0.5.3
- For version 0.6.0 up to including 0.6.3
- For version 0.7.0 up to including 0.7.5
- For version 1.0.0 up to including 1.0.5
- For version 1.1.0 up to including 1.1.2
In multiple places external data isn’t properly checked before allocating memory, which could lead to buffer overflows and arbitrary code execution.
These bugs are only exploitable locally by providing OpenTTD with invalid/manipulated images, sounds or fonts. This means an attacker either needs local access or has to trick an user into loading a manipulated image into OpenTTD. This is especially a concern with BMP files loaded as heightmaps.
All except one vulnerability are caused by improper validation of input data prior to allocating memory buffers. It is possible to force allocation of a too small buffer and thus out-of-bounds writes by causing an integer overflow. Additionally in RLE-compressed BMP images, it is possible to write arbitrary data outside the allocated buffer.
No patch for releases before 0.3.1 is provided, as this versions are unsupported since a long time and would require larger changes not worth the effort.