Changes

1,495 bytes added ,  22:40, 24 April 2016
supermysterychunkhax and GTI investigated bounds
Line 44: Line 44:  
| See [[smashbroshax|here]].
 
| See [[smashbroshax|here]].
 
| [[User:Yellows8|Yellows8]]
 
| [[User:Yellows8|Yellows8]]
 +
|-
 +
| Pokemon Super Mystery Dungeon
 +
| Heap overflow within linear memory via unchecked save file length
 +
| Pokemon Super Mystery Dungeon uses zlib compression for most of its save files, possibly due to the save files being larger than it's predecessor, Gates to Infinity. When a save file is being prepared to be loaded and read from, only a 0x32000 large buffer is allocated for file reading, and a 0x3e800-large buffer for decompression is also allocated before the file is read. However, the game does not limit the size of the file read to this allocation bound, allowing for the file to overflow into the linear memory heap and into the next allocation. Since Pokemon Super Mystery Dungeon stores allocation memchunks directly before the allocation, overwriting the next memchunk with a corrupted one allows for arbitrary writes of linear heap pointers when the next buffer is allocated or arbitrary writes of any pointer within writable memory when the corrupted buffer is freed.
 +
| None
 +
| [[10.7.0-32]].
 +
| Time of exploit release.
 +
| April 14, 2016
 +
| [[User:Shinyquagsire23|Shiny Quagsire]]
 
|}
 
|}
   Line 54: Line 63:     
* "The Legend of Zelda: A Link Between Worlds" and "The Legend of Zelda: Tri Force Heroes": these games don't crash at all when the entire save-file(minus constant header data) is overwritten with /dev/random output / 0xFF-bytes. All of the CRC32s were updated for this of course.
 
* "The Legend of Zelda: A Link Between Worlds" and "The Legend of Zelda: Tri Force Heroes": these games don't crash at all when the entire save-file(minus constant header data) is overwritten with /dev/random output / 0xFF-bytes. All of the CRC32s were updated for this of course.
 +
 +
* Pokemon Mystery Dungeon: Gates to Infinity has the same unchecked file bounds as Pokemon Super Mystery Dungeon, however since save compression was introduced in Pokemon Super Mystery Dungeon, it only allocates one buffer within the application heap instead of several within the linear heap, resulting in nothing to corrupt or overwrite even if the file's length is extended past it's allocation.
    
==Crashes needing investigation==
 
==Crashes needing investigation==