that buffer can't be overflowed, "header" is 128 byte long: #define NSF_HEADER_SIZE 0x80 [..] if (this->input->read(this->input, header, NSF_HEADER_SIZE) != NSF_HEADER_SIZE) return 0; and copyright can't be more than 50byte: this->copyright = strdup(&header[0x4E]); laurent.gaffie@xxxxxxxxx wrote:
Hi there Original advisory: http://milw0rm.com/exploits/5458 There's another stack-based buffer overflow in demux_nfs.c line 111: this->copyright = strdup(&header[0x4E]); line 189: char copyright[100]; line 208: sprintf(copyright, "(C) %s", this->copyright); Regards Laurent Gaffi�