CVE-2018-10017

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2018-10017
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10017.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-10017
Downstream
Related
Published
2018-04-11T05:29:00Z
Modified
2025-10-21T04:26:52.440028Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before 0.3.8 allows remote attackers to cause a denial of service (out-of-bounds read) via an IT or MO3 file with many nested pattern loops.

References

Affected packages

Git / github.com/openmpt/openmpt

Affected ranges

Type
GIT
Repo
https://github.com/openmpt/openmpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c

Affected versions

ModPlugTracker-1.*

ModPlugTracker-1.16.206
ModPlugTracker-1.16.206-noMMX

ModplugWild-0.*

ModplugWild-0.00
ModplugWild-0.01

OpenMPT-1.*

OpenMPT-1.16.0213a
OpenMPT-1.16.0214a
OpenMPT-1.16.0215a
OpenMPT-1.17-RC0
OpenMPT-1.17-RC1
OpenMPT-1.17.02.41
OpenMPT-1.17.02.42
OpenMPT-1.17.02.43
OpenMPT-1.17.02.44
OpenMPT-1.17.02.45
OpenMPT-1.17.02.46
OpenMPT-1.17.02.47
OpenMPT-1.17.02.48
OpenMPT-1.17.02.49
OpenMPT-1.17.02.50
OpenMPT-1.17.02.51
OpenMPT-1.17.02.52
OpenMPT-1.17.03.02
OpenMPT-1.18.00.00
OpenMPT-1.18.02.00
OpenMPT-1.18.03.00
OpenMPT-1.19.01.00
OpenMPT-1.19.02.00
OpenMPT-1.20.01.00
OpenMPT-1.20.02.00
OpenMPT-1.20.03.00
OpenMPT-1.20.04.00
OpenMPT-1.21.01.00
OpenMPT-1.22.01.00
OpenMPT-1.22.02.00
OpenMPT-1.22.03.00
OpenMPT-1.22.04.00
OpenMPT-1.22.05.00
OpenMPT-1.23.01.00
OpenMPT-1.23.02.00
OpenMPT-1.23.03.00
OpenMPT-1.23.04.00
OpenMPT-1.23.05.00
OpenMPT-1.24.01.00
OpenMPT-1.24.02.00
OpenMPT-1.24.03.00
OpenMPT-1.24.04.00
OpenMPT-1.25.01.00
OpenMPT-1.25.02.00
OpenMPT-1.25.03.00
OpenMPT-1.25.04.00
OpenMPT-1.26.01.00
OpenMPT-1.26.02.00
OpenMPT-1.26.03.00
OpenMPT-1.26.04.00

libopenmpt-0.*

libopenmpt-0.2.3532-beta1
libopenmpt-0.2.3566-beta2
libopenmpt-0.2.3746-beta3
libopenmpt-0.2.3773-beta4
libopenmpt-0.2.4115-beta5
libopenmpt-0.2.4238-beta6
libopenmpt-0.2.4259-beta7
libopenmpt-0.2.4664-beta8
libopenmpt-0.2.4667-beta9
libopenmpt-0.2.4764-beta10
libopenmpt-0.2.4943-beta11
libopenmpt-0.2.4954-beta12
libopenmpt-0.2.5486-beta13
libopenmpt-0.2.5602-beta14
libopenmpt-0.2.5705-beta15
libopenmpt-0.2.5787-beta16
libopenmpt-0.2.6401-beta17
libopenmpt-0.2.6611-beta18
libopenmpt-0.2.6664-beta19
libopenmpt-0.2.6774-beta20

modplugxmms-1.*

modplugxmms-1.0.1
modplugxmms-1.1
modplugxmms-1.1.1
modplugxmms-1.2
modplugxmms-1.3
modplugxmms-1.3a
modplugxmms-1.5

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "digest": {
            "function_hash": "216037417499697353578779240638772842004",
            "length": 24688.0
        },
        "deprecated": false,
        "id": "CVE-2018-10017-6abb7ce0",
        "source": "https://github.com/openmpt/openmpt/commit/7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c",
        "target": {
            "function": "CSoundFile::GetLength",
            "file": "soundlib/Snd_fx.cpp"
        },
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "325917953417791362975220896489095883225",
                "253709592881847828482822399192097432058",
                "325337853414273268223428616874770262766",
                "265114425300270518893969925795053224428"
            ]
        },
        "deprecated": false,
        "id": "CVE-2018-10017-987b0bb9",
        "source": "https://github.com/openmpt/openmpt/commit/7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c",
        "target": {
            "file": "soundlib/Snd_fx.cpp"
        },
        "signature_type": "Line"
    }
]