Changes

Jump to navigation Jump to search
754 bytes added ,  18:41, 27 December 2016
no edit summary
Line 115: Line 115:  
| Around July 15, 2016
 
| Around July 15, 2016
 
| [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas
 
| [[User:Nba_Yoh|MrNbaYoh]], Vegaroxas
 +
|-
 +
| 1001 Spikes
 +
| Buffer overflow via unchecked array-indexes in XML savefile parsing
 +
| The savefiles are stored as renamed .xml files, which contain several tags with attributes like 'array-index="array-value"', where both of these are converted from ASCII strings to integers as signed-int32, and the array-value given blindly written to an array inside a structure using the (unchecked) index given. With several of these attributes, one can overwrite the stack starting from the stored lr of the function that does this parsing, and write a ROP chain there. Testing used the "LevelAttempts" tag which is the last such tag parsed in that function.
 +
| None
 +
| App: v1.2.0 (TMD v2096)
 +
| December 27, 2016
 +
| Around November 2, 2016
 +
| [[User:Riley|Riley]]
 
|}
 
|}
  
39

edits

Navigation menu