Affected software: Coolplayer (coolplayer.sourceforge.net)
Versions: <= 215
Discovered by: Mehdi Oudad and Kevin Fernandez, zone-h.fr

The coolplayer authors have been mailed through contact _\at/_
daansystems. com on november 15 2005 but we never got any reply. On
november 30 2006 they published a new version that somewhat patches the
flaws.

1) A boundary error exists in the CPL_AddPrefixedFile() function of
CPI_Playlist.c :

        char cFullPath[MAX_PATH];
        memcpy(cFullPath, pcPlaylistFile, iPlaylist_VolumeBytes);
        strcpy(cFullPath + iPlaylist_VolumeBytes, pcFilename + 1);
        CPL_AddSingleFile(hPlaylist, cFullPath, pcTitle);

The program tries to put a 512 input string into a 260 buffer. This can be
exploited via a malicious playlist file containing overly long song names.

2) A boundary error exists in the main_skin_check_ini_value() function of
skin.c :

  sscanf(textposition, "%s %d %d %d %d %d %d %d %d %d %[^\0]", name, &x,
           &y, &w, &h, &maxw, &x2, &y2, &w2, &h2, tooltip);


It can be exploited with a skin file containing overly long button names.

3) An error in main_skin_open() of skin.c can be exploited with a skin
file containing overly long bitmap filenames.

Additionally coolplayer was using an obsolete version of the zlib library,
the changelog doesn't say it is updated.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/