| The game stores some utf-16 messages in the savefile. Right before the message is the length(u32) for the string, the game uses this size to memcpy the message from the savefile to the stack without checking the length. This allows one to overwrite to some function addresses on the stack and form a rop chain.
+
| None
+
| App: Initial Version
+
| September 13, 2018
+
| August, 2018
+
| Kartik
|}
|}
Line 234:
Line 243:
| September 20, 2017
| September 20, 2017
| [[User:Nba_Yoh|MrNbaYoh]]
| [[User:Nba_Yoh|MrNbaYoh]]
−
|-
−
| Unholy Heights
−
| Buffer overflow via unchecked string size
−
| The game stores some utf-16 messages in the savefile. Right before the message is the length(u32) for the string, the game uses this size to memcpy the message from the savefile to the stack without checking the length. This allows one to overwrite to some function addresses on the stack and form a rop chain.