203
edits
Changes
Jump to navigation
Jump to search
Line 113:
Line 113: + + + + + + + +
Super Mario Galaxy savefile (view source)
Revision as of 23:53, 30 January 2016
, 23:53, 30 January 2016Document a useless vulnerability
[[Category:File formats]]
[[Category:File formats]]
== Vulnerabilities ==
Super Mario Galaxy (and its sequel, Super Mario Galaxy 2) are known to have an unexploitable vulnerability in parsing GameData.bin. The entire file is loaded into memory at once, and after being verified for integrity (checksum, version, etc.), its index entries are extracted. The game keeps an in-memory template of an empty savefile, with the index entries being copied into the template. A function is used (on both GameData.bin and the template) to get the data pointer and length of an entry.
This function calculates the length of an index entry by subtracting the current entry's offset from the next entry's offset. Unfortunately, the length from GameData.bin is not used for the memcpy() into the template: the length from the template is used. However, once the memcpy() completes, the game checks if the amount of data specified by GameData.bin is less than the amount copied. This is done by checking whether template_size - reported_size > 0. It is possible to make reported_size negative (>= 0x80000000), which would cause that check to return true. If true, it memset()s that amount of 0 bytes after the copied data.
Unfortunately, the layout of the heap and the fact that it is all 0 bytes makes this vulnerability apparently useless.