Subject: fix for vulnerability CVE-2011-3343 for OpenTTD 0.4.5 - 0.4.8 (Multiple buffer overflows in validation of external data) From: OpenTTD developer team Origin: backport, https://github.com/OpenTTD/OpenTTD/commit/6c7cbb1 https://github.com/OpenTTD/OpenTTD/commit/65637d8 https://github.com/OpenTTD/OpenTTD/commit/73624ab Bug: https://github.com/OpenTTD/OpenTTD/issues/4746 https://github.com/OpenTTD/OpenTTD/issues/4747 In multiple places external data isn’t properly checked before allocating memory, which could lead to buffer overflows and arbitrary code execution. These bugs are only exploitable locally by providing OpenTTD with invalid/manipulated images, sounds or fonts. This means an attacker either needs local access or has to trick an user into loading a manipulated image into OpenTTD. This is especially a concern with BMP files loaded as heightmaps. All except one vulnerability are caused by improper validation of input data prior to allocating memory buffers. It is possible to force allocation of a too small buffer and thus out-of-bounds writes by causing an integer overflow. Additionally in RLE-compressed BMP images, it is possible to write arbitrary data outside the allocated buffer. No patch for releases before 0.3.1 is provided, as this versions are unsupported since a long time and would require larger changes not worth the effort. diff --git sound.c sound.c index 4e3a463..1bd1616 100644 --- sound.c +++ sound.c @@ -109,7 +109,8 @@ static bool SetBankSource(MixerChannel *mc, uint bank) if (bank >= _file_count) return false; fe = &_files[bank]; - if (fe->file_size == 0) return false; + /* Check for valid sound size. */ + if (fe->file_size == 0 || fe->file_size > ((size_t)-1) - 2) return false; mem = malloc(fe->file_size); if (mem == NULL) return false;