CVE-2007-6609

Step 1: Payload Delivery: The attacker crafts a malicious OGG Vorbis audio file. This file contains a specially crafted cTag or cValue field with a length exceeding the allocated buffer size in CPLI_ReadTag_OGG.

Step 2: User Interaction: The victim opens or plays the malicious OGG file using CoolPlayer 217 or earlier.

Step 3: Vulnerability Trigger: CoolPlayer's CPLI_ReadTag_OGG function is called to parse the OGG file's metadata.

Step 4: Buffer Overflow: The oversized cTag or cValue field data is copied into the stack buffer without proper bounds checking, causing a buffer overflow.

Step 5: Code Execution: The overflow overwrites the return address on the stack. When the function returns, the program jumps to the attacker-controlled address, executing the injected malicious code.

The vulnerability lies within the CPLI_ReadTag_OGG function in CPI_PlaylistItem.c of CoolPlayer. This function is responsible for parsing OGG Vorbis file metadata, specifically the cTag and cValue fields. The root cause is a stack-based buffer overflow. The code fails to properly validate the size of the data read from the OGG file's metadata fields before copying it into a fixed-size buffer on the stack. When a malicious OGG file contains a cTag or cValue field that exceeds the buffer's capacity, the excess data overwrites adjacent memory on the stack, including potentially the return address. This allows an attacker to control the program's execution flow and inject malicious code.