3dbrew

3DS Userland Flaws: Difference between revisions

← Older editNewer edit →
Nedwill (talk | contribs)
3 edits
No edit summary
Nedwill (talk | contribs)
3 edits
No edit summary
Line 183: Line 183:
|-
|-
| [[Nintendo 3DS Sound]]
| [[Nintendo 3DS Sound]]
| "A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound." (description from soundhax's github readme)
| When a .m4a is loaded, the song name is copied to a 256 byte buffer. When the song name begins with a Unicode BOM marker, it memcpy's the tag using the user-provided length. This gives an arbitrary write which can be used to achieve ROP.
| None
| None
| [[11.2.0-35]]
| [[11.2.0-35]]
Retrieved from "https://www.3dbrew.org/wiki/3DS_Userland_Flaws"