GZDoom Remote Code Execution Vulnerability via Malicious ZScript in PK3 Files

A remote code execution vulnerability has been identified in GZDoom versions through 4.13.1. This issue arises from how ZScript, the game's primary scripting language, handles large arrays. An attacker can allocate an array of approximately 1 billion 32-bit integers, which allows access to uninitialized memory and the ability to overwrite other objects in memory. This vulnerability can be exploited by embedding malicious ZScript in a PK3 file, which is then executed by GZDoom.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the victim's machine.

Reproduction

To reproduce this vulnerability, create a PK3 file containing a ZScript file that allocates an array of 1073741823 32-bit integers. This can be done by writing a ZScript program that declares such an array. Once the PK3 file is created, it can be loaded into GZDoom, where the malicious ZScript will be executed, leading to code execution.

Remediation

Users are advised to update to GZDoom version 4.13.2 or later, where this vulnerability has been fixed.