While looking at logs from my fuzzers, I found a bug in UltraEdit that triggered when I loaded a file with a long string of alphabetic characters. A bit of debugging indicated that UltraEdit was using a version of GNU Aspell that had a buffer overflow when handling long words. UltraEdit has been using Aspell since version 11[1]. I’ve not looked at exploitability, but the application seems to detect the overflow and terminate cleanly, so they may be saved by mitigations. IDM, the creators of UltraEdit, have since released a new version that fixes the issue.
Case history: http://code.google.com/p/skylined/issues/detail?id=2
Leave a Comment