{"id":"CVE-2018-10017","details":"soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before 0.3.8 allows remote attackers to cause a denial of service (out-of-bounds read) via an IT or MO3 file with many nested pattern loops.","modified":"2026-04-11T03:11:53.316037Z","published":"2018-04-11T05:29:00.327Z","related":["SUSE-SU-2018:1951-1","openSUSE-SU-2024:10965-1"],"references":[{"type":"ADVISORY","url":"https://openmpt.org/openmpt-1-27-07-00-released"},{"type":"FIX","url":"https://github.com/OpenMPT/openmpt/commit/7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c"},{"type":"FIX","url":"https://lib.openmpt.org/libopenmpt/2018/04/08/security-updates-0.3.8-0.2-beta31-0.2.7561-beta20.5-p8-0.2.7386-beta20.3-p11/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openmpt/openmpt","events":[{"introduced":"0"},{"fixed":"a9dc123c8e1dd3015b939b74687861abffd7386f"},{"introduced":"0"},{"fixed":"af287214b2584e4b544eb22605fa31ec10939a61"},{"fixed":"7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.3.8"},{"introduced":"0"},{"fixed":"1.27.07.00"}]}}],"versions":["ModPlugTracker-1.16.206","ModplugWild-0.00","ModplugWild-0.01","OpenMPT-1.16.0213a","OpenMPT-1.16.0214a","OpenMPT-1.16.0215a","OpenMPT-1.17.02.41","OpenMPT-1.17.02.42","OpenMPT-1.17.02.43","OpenMPT-1.17.02.44","OpenMPT-1.17.02.45","OpenMPT-1.17.02.46","OpenMPT-1.17.02.47","OpenMPT-1.17.02.48","OpenMPT-1.17.02.49","OpenMPT-1.17.02.50","OpenMPT-1.17.02.51","OpenMPT-1.17.02.52","OpenMPT-1.17.03.02","OpenMPT-1.18.00.00","OpenMPT-1.18.02.00","OpenMPT-1.18.03.00","OpenMPT-1.19.01.00","OpenMPT-1.19.02.00","OpenMPT-1.20.01.00","OpenMPT-1.20.02.00","OpenMPT-1.20.03.00","OpenMPT-1.20.04.00","OpenMPT-1.21.01.00","OpenMPT-1.22.01.00","OpenMPT-1.22.02.00","OpenMPT-1.22.03.00","OpenMPT-1.22.04.00","OpenMPT-1.22.05.00","OpenMPT-1.23.01.00","OpenMPT-1.23.02.00","OpenMPT-1.23.03.00","OpenMPT-1.23.04.00","OpenMPT-1.23.05.00","OpenMPT-1.24.01.00","OpenMPT-1.24.02.00","OpenMPT-1.24.03.00","OpenMPT-1.24.04.00","OpenMPT-1.25.01.00","OpenMPT-1.25.02.00","OpenMPT-1.25.03.00","OpenMPT-1.25.04.00","OpenMPT-1.26.01.00","OpenMPT-1.26.02.00","OpenMPT-1.26.03.00","OpenMPT-1.26.04.00","OpenMPT-1.27.01.00","OpenMPT-1.27.02.00","OpenMPT-1.27.03.00","OpenMPT-1.27.04.00","OpenMPT-1.27.05.00","OpenMPT-1.27.06.00","OpenMPT-1.27.07.00","libopenmpt-0.2.3532-beta1","libopenmpt-0.2.3566-beta2","libopenmpt-0.2.3746-beta3","libopenmpt-0.2.3773-beta4","libopenmpt-0.2.4115-beta5","libopenmpt-0.2.4238-beta6","libopenmpt-0.2.4259-beta7","libopenmpt-0.2.4664-beta8","libopenmpt-0.2.4667-beta9","libopenmpt-0.2.4764-beta10","libopenmpt-0.2.4943-beta11","libopenmpt-0.2.4954-beta12","libopenmpt-0.2.5486-beta13","libopenmpt-0.2.5602-beta14","libopenmpt-0.2.5705-beta15","libopenmpt-0.2.5787-beta16","libopenmpt-0.2.6401-beta17","libopenmpt-0.2.6611-beta18","libopenmpt-0.2.6664-beta19","libopenmpt-0.2.6774-beta20","libopenmpt-0.3.0","libopenmpt-0.3.0-rc.1","libopenmpt-0.3.1","libopenmpt-0.3.2","libopenmpt-0.3.3","libopenmpt-0.3.4","libopenmpt-0.3.5","libopenmpt-0.3.6","libopenmpt-0.3.7","modplugxmms-1.0.1","modplugxmms-1.1","modplugxmms-1.1.1","modplugxmms-1.2","modplugxmms-1.3","modplugxmms-1.3a","modplugxmms-1.5"],"database_specific":{"vanir_signatures_modified":"2026-04-11T03:11:53Z","vanir_signatures":[{"target":{"function":"CSoundFile::GetLength","file":"soundlib/Snd_fx.cpp"},"id":"CVE-2018-10017-6abb7ce0","signature_type":"Function","deprecated":false,"digest":{"length":24688,"function_hash":"216037417499697353578779240638772842004"},"source":"https://github.com/openmpt/openmpt/commit/7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c","signature_version":"v1"},{"target":{"file":"soundlib/Snd_fx.cpp"},"id":"CVE-2018-10017-987b0bb9","signature_type":"Line","deprecated":false,"digest":{"line_hashes":["325917953417791362975220896489095883225","253709592881847828482822399192097432058","325337853414273268223428616874770262766","265114425300270518893969925795053224428"],"threshold":0.9},"source":"https://github.com/openmpt/openmpt/commit/7ebf02af2e90f03e0dbd0e18b8b3164f372fb97c","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-10017.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}