CVE-2011-3343 (vulnerable 0.1.0 - fixed 1.1.3)
Short description: Multiple buffer overflows in validation of external data
Official CVE-2011-3343 entry at cve.mitre.org.
Related bug reports:
Related commits:
Patches: (sometimes more fuzz is needed to apply them)
- For version 0.3.1 up to including 0.4.0.1
- For version 0.4.5 up to including 0.4.8
- For version 0.5.0 up to including 0.5.3
- For version 0.6.0 up to including 0.6.3
- For version 0.7.0 up to including 0.7.5
- For version 1.0.0 up to including 1.0.5
- For version 1.1.0 up to including 1.1.2
In multiple places external data isn't properly checked before allocating
memory, which could lead to buffer overflows and arbitrary code execution.
These bugs are only exploitable locally by providing OpenTTD with
invalid/manipulated images, sounds or fonts. This means an attacker
either needs local access or has to trick an user into loading a
manipulated image into OpenTTD. This is especially a concern with
BMP files loaded as heightmaps.
All except one vulnerability are caused by improper validation of input
data prior to allocating memory buffers. It is possible to force allocation
of a too small buffer and thus out-of-bounds writes by causing an integer
overflow. Additionally in RLE-compressed BMP images, it is possible to
write arbitrary data outside the allocated buffer.
No patch for releases before 0.3.1 is provided, as this versions are
unsupported since a long time and would require larger changes not worth
the effort.