View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001966OpenMPTPlugins / VSTpublic2026-04-17 09:542026-04-17 16:04
Reporterbreakingbad Assigned Tomanx  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platformarm64OSWindowsOS Version11
Product VersionOpenMPT 1.32.09.00 / libopenmpt 0.8.6 (current stable) 
Fixed in VersionOpenMPT 1.32.10.00 / libopenmpt 0.8.7 (upcoming stable) 
Summary0001966: sizeof(chunk) in SetChunk() measures span object size instead of PluginChunk size on 64-bit
Description

In DigiBoosterEcho.cpp:210 and SymMODEcho.cpp:244, the SetChunk() function uses sizeof(chunk) where chunk is a const ChunkData& (i.e. mpt::const_byte_span&). On 64-bit platforms, sizeof(mpt::const_byte_span) is 16 bytes, but the target m_chunk (PluginChunk) is only 8 bytes (verified by static_assert in the header).
This causes the condition chunk.size() == sizeof(chunk) to require 16 bytes of input data, and the subsequent memcpy(&m_chunk, data, chunk.size()) writes 16 bytes into an 8-byte struct, overflowing 8 bytes into adjacent class members.
The correct check should be chunk.size() == sizeof(m_chunk), which is already used correctly in RestoreAllParameters() in the same file (line 98).
Affected files:

  • soundlib/plugins/DigiBoosterEcho.cpp line 210
  • soundlib/plugins/SymMODEcho.cpp line 244
    Note: On 32-bit platforms sizeof(span) may happen to equal sizeof(PluginChunk) (both 8), masking the bug.
Steps To Reproduce
  1. Build OpenMPT in 64-bit mode
  2. Load a module file that uses DigiBoosterEcho or SymMODEcho plugin
  3. Load a .fxp preset file for the plugin with chunk size = 16 bytes and "Echo" magic header
  4. SetChunk() will memcpy 16 bytes into 8-byte m_chunk, overwriting adjacent memory
Additional Information

This is just a small problem and I won't apply for cve because it just a small mistake,since size of wrong.
And rce are difficulty since it need other plugins.
However,I have to say your issue tracker's sign in really too bad(pardon me to say it),can you think of github issue tracker?

TagsNo tags attached.
Has the bug occurred in previous versions?maybe always
Tested code revision (in case you know it)

Activities

manx

manx

2026-04-17 10:35

administrator   ~0006640

Last edited: 2026-04-17 10:42

Thanks.
Fixed in r25189 and backported (r25190, r25191, r25192, r25193, r25194).

However, I have to say your issue tracker's sign in really too bad (pardon me to say it), can you think of github issue tracker?

We prefer to host services ourselves for various reasons. And in order to prevent spam (and save our time), we have to implement measures that are actually effective against spam bots. We can discuss this further in the forums if you like, as it is somewhat off-topic on the issue tracker.
Saga Musix

Saga Musix

2026-04-17 10:39

administrator   ~0006641

FWIW, I don't think there is any RCE or other vulnerability here, because plugin structures are heap-allocated and both plugin classes happen to have a size that requires MSVC's allocator to pad them up to 16 bytes, so only bytes not belonging to any other heap object would be overwritten. libopenmpt is not affected as it doesn't use this code path, and so only MSVC behaviour matters.
breakingbad

breakingbad

2026-04-17 13:27

reporter   ~0006642

OK,I reopen this bug just to add a commit:no need to communiate in the forums since it just a small problem.I saw it maybe can take rce by openmpt tracker with some fxp VST preset files with bad meaning.But it maybe hard to rce.Anyway,it just a small bug.

Issue History

Date Modified Username Field Change
2026-04-17 09:54 breakingbad New Issue
2026-04-17 10:18 manx Assigned To => manx
2026-04-17 10:18 manx Status new => confirmed
2026-04-17 10:22 manx Status confirmed => assigned
2026-04-17 10:35 manx Status assigned => resolved
2026-04-17 10:35 manx Resolution open => fixed
2026-04-17 10:35 manx Fixed in Version => OpenMPT 1.32.10.00 / libopenmpt 0.8.7 (upcoming stable)
2026-04-17 10:35 manx Note Added: 0006640
2026-04-17 10:35 manx Note Edited: 0006640
2026-04-17 10:39 Saga Musix Note Added: 0006641
2026-04-17 10:42 manx Note Edited: 0006640
2026-04-17 13:27 breakingbad Status resolved => feedback
2026-04-17 13:27 breakingbad Resolution fixed => reopened
2026-04-17 13:27 breakingbad Note Added: 0006642
2026-04-17 16:04 Saga Musix Status feedback => resolved
2026-04-17 16:04 Saga Musix Resolution reopened => fixed