http://www.eeye.com/html/Research/Advisories/AD20030723.html

Reason 0xFFFFFFFF not to use Windows:
Integer overflows in the MIDI parser.
Get 0wned while the webpage plays stupid background music.

3 thoughts on “”

    1. That is the length byte you put in the copyright portion of the MIDI header. It adds one for the null byte it puts at the end, and then allocates that much heap space for the copyright string. Since it's a 0 length allocation, but you're copying x amount over it, you can corrupt the heap and do bad things, or so the advisory says. My facts might be a bit off, but I'm low on sleep.

      1. The reason this vulnerability exists is because QUARTZ increments the specified string length (in order to make room for a null terminator) without checking for a potential overflow condition. The incremented value (now 0) is passed to LocalAlloc(), which succeeds, while the original value (FFFFFFFFh) is given to memcpy() to copy the string data from the file image into the heap buffer.

Leave a Reply