Libretro Libretro-Common CDFS Cue Track Out-of-Bounds Write Vulnerability Allowing Arbitrary Code Execution

A buffer overflow vulnerability has been identified in the CDFS .cue file parser of Libretro Libretro-Common, all platforms. The issue arises in the 'cdfs_open_cue_track' function, where 'memcpy' is used to copy file paths from the .cue file into a buffer. If the file path exceeds the maximum allowed length, this creates an out-of-bounds write condition. Remote attackers can exploit this vulnerability by crafting a .cue file with an excessively long file path, leading to stack-based buffer overflow and potential execution of arbitrary code.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can be leveraged to execute arbitrary code.

Reproduction

To reproduce this vulnerability, create a .cue file that includes a file path exceeding the maximum path length. The .cue file should be formatted to include this long path, which will trigger the buffer overflow when the file is processed by the 'cdfs_open_cue_track' function in the CDFS parser.

Remediation

The vulnerability can be mitigated by limiting the 'memcpy' operation to 'PATH_MAX_LENGTH - 1' bytes and ensuring that the copied string is null-terminated.