Line 115:
Line 115:
| Around July 15, 2016
| Around July 15, 2016
| [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas
| [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas
+
|-
+
| 1001 Spikes
+
| Buffer overflow via unchecked array-indexes in XML savefile parsing
+
| The savefiles are stored as renamed .xml files, which contain several tags with attributes like 'array-index="array-value"', where both of these are converted from ASCII strings to integers as signed-int32, and the array-value given blindly written to an array inside a structure using the (unchecked) index given. With several of these attributes, one can overwrite the stack starting from the stored lr of the function that does this parsing, and write a ROP chain there. Testing used the "LevelAttempts" tag which is the last such tag parsed in that function.
+
| None
+
| App: v1.2.0 (TMD v2096)
+
| December 27, 2016
+
| Around November 2, 2016
+
| [[User:Riley|Riley]]
|}
|}