39
edits
Changes
Jump to navigation
Jump to search
mLine 183:
Line 183: − + Line 189:
Line 189: − + Line 195:
Line 195: − + Line 201:
Line 201: − + Line 207:
Line 207: − + Line 213:
Line 213: − +
no edit summary
| KFH frame count overflow
| KFH frame count overflow
| The KFH frame count field should not be >= 0x3E8, but it wasn't checked and so uncontrolled data were written over pointers, causing an unexploitable crash.
| The KFH frame count field should not be >= 0x3E8, but it wasn't checked and so uncontrolled data were written over pointers, causing an unexploitable crash.
| 11.6
| System: 11.6
| September 20, 2017
| September 20, 2017
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
| KMI paper color overflow
| KMI paper color overflow
| Paper color field (and similar color fields) in KMI chunks was not checked, a too high value caused a jump to an uncontrolled location.
| Paper color field (and similar color fields) in KMI chunks was not checked, a too high value caused a jump to an uncontrolled location.
| 11.6
| System: 11.6
| September 20, 2017
| September 20, 2017
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
| KSN BGM data size overflow
| KSN BGM data size overflow
| The size of the BGM data in the KSN chunk was not checked, it was used in a memcpy so with a big enough size one could overwrite a thread stack on linear mem and achieve ROP (notehax v1).
| The size of the BGM data in the KSN chunk was not checked, it was used in a memcpy so with a big enough size one could overwrite a thread stack on linear mem and achieve ROP (notehax v1).
| 11.6
| System: 11.6
| September 20, 2017
| September 20, 2017
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
| KMC chunk unchecked
| KMC chunk unchecked
| The KMC chunk was not verified at all, the CRC32 and the size were not checked. A big enough size caused an integer overflow and made the game read the file backward.
| The KMC chunk was not verified at all, the CRC32 and the size were not checked. A big enough size caused an integer overflow and made the game read the file backward.
| 11.6
| System: 11.6
| September 20, 2017
| September 20, 2017
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
| KMI layer size unchecked
| KMI layer size unchecked
| The 3 layer size fields in KMI chunks were not checked, leading to some crashes in the editor.
| The 3 layer size fields in KMI chunks were not checked, leading to some crashes in the editor.
| 11.6
| System: 11.6
| September 20, 2017
| September 20, 2017
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
| Bad "queue" implementation
| Bad "queue" implementation
| When a KWZ was parsed, frames were copied in a kind of queue, bounds were not checked obviously, so with the KMI layer size flaw one was able to fill completely the queue, then write past the buffer and overwrite a heap chunk header (notehax v2). This is not possible anymore, the queue cannot be filled because layer sizes are checked. Moreover each time an element is removed from the queue, the whole content is memmoved *facepalm*.
| When a KWZ was parsed, frames were copied in a kind of queue, bounds were not checked obviously, so with the KMI layer size flaw one was able to fill completely the queue, then write past the buffer and overwrite a heap chunk header (notehax v2). This is not possible anymore, the queue cannot be filled because layer sizes are checked. Moreover each time an element is removed from the queue, the whole content is memmoved *facepalm*.
| 11.6
| System: 11.6
| September 20, 2017
| September 20, 2017
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]