Date: Wed, 12 May 1999 13:02:43 +0200 From: Wojtek Kaniewski To: BUGTRAQ@netspace.org Subject: Buffer overflow in WinAMP 2.x Introduction ------------ WinAMP is a popular Windows sound player with support for many file formats (MP3, wave files, modules). It also supports MP3 streaming (let's call it sh0utcast). Description of the problem -------------------------- If we tell WinAMP to open file location (Ctrl+L) which is over 256 bytes long, it'll produce nice GPF. The bug also appears when loading playlists (.m3u and .pls) What can we do with this bug? ----------------------------- Many sh0utcast radios place .pls files on their websites, which contain URL for radio's sh0utcast server. If we'll make b00m.pls file like this... [playlist] NumberOfEntries=1 File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (about 256 A's) and put such link... Techno explosion -- The Coolest MP3 Radio on our website, we can make couple of WinAMPs crash. I suppose, that there's a possibility to put our own code in the filename (see cDc-351 for details). Nullsoft (producer of WinAMP) has been noticed about the bug two versions ago. -- wojtekka@irc.pl :: http://wojtekka.stone.pl/ :: ^wojtekka@ircnet ----------------------------------------------------------------------- Date: Fri, 14 May 1999 15:56:28 -0400 From: William Yodlowsky To: BUGTRAQ@netspace.org Subject: Re: Buffer overflow in WinAMP 2.x Tested on WinAMP v2.091 on Win95A and Win95B; v2.21 on Win98; v1.9? and v2.21 on WinNT 4.0WS It produced GPFs on all except WinNT, where it opened but simply didn't play. --Bill On Wed, 12 May 1999, Wojtek Kaniewski wrote: ----------------------------------------------------------------------- Date: Mon, 17 May 1999 03:40:48 +0100 From: Jello Biafra To: BUGTRAQ@netspace.org Subject: Re: Buffer overflow in WinAMP 2.x On NT Server 4 with no Service Packs installed, this causes an application error. Platform is a Cyrix MMX 233. Access Violation (0xc0000005), Address : 0x62626262