{"id":"CVE-2019-17113","details":"In libopenmpt before 0.3.19 and 0.4.x before 0.4.9, ModPlug_InstrumentName and ModPlug_SampleName in libopenmpt_modplug.c do not restrict the lengths of libmodplug output-buffer strings in the C API, leading to a buffer overflow.","modified":"2026-05-30T13:50:38.774943Z","published":"2019-10-04T00:15:10.747Z","related":["SUSE-SU-2019:2622-1","openSUSE-SU-2019:2306-1","openSUSE-SU-2019:2319-1","openSUSE-SU-2024:10965-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00035.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00044.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00003.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2020/dsa-4729"},{"type":"FIX","url":"https://github.com/OpenMPT/openmpt/commit/927688ddab43c2b203569de79407a899e734fabe"},{"type":"FIX","url":"https://github.com/OpenMPT/openmpt/compare/libopenmpt-0.3.18...libopenmpt-0.3.19"},{"type":"FIX","url":"https://github.com/OpenMPT/openmpt/compare/libopenmpt-0.4.8...libopenmpt-0.4.9"},{"type":"FIX","url":"https://source.openmpt.org/browse/openmpt/trunk/OpenMPT/?op=revision&rev=12127&peg=12127"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openmpt/openmpt","events":[{"introduced":"0"},{"fixed":"611291880dc20cfd2e062f2302d884b5f0511e6a"},{"introduced":"0e1ea9bc11bd585dc76d4ce3d85c2ef19eb0e970"},{"fixed":"4f09ffc84b9a1daac058c283c4d4051ccc1712b1"},{"fixed":"927688ddab43c2b203569de79407a899e734fabe"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.3.19"},{"introduced":"0.4.0"},{"fixed":"0.4.9"}],"cpe":"cpe:2.3:a:openmpt:libopenmpt:*:*:*:*:*:*:*:*"}}],"versions":["libopenmpt-0.4.8","libopenmpt-0.3.18","libopenmpt-0.4.7","OpenMPT-1.28.07.00","libopenmpt-0.3.17","libopenmpt-0.4.6","OpenMPT-1.28.06.00","libopenmpt-0.4.5","OpenMPT-1.28.05.00","libopenmpt-0.3.16","libopenmpt-0.4.4","OpenMPT-1.28.04.00","libopenmpt-0.4.3","OpenMPT-1.28.03.00","libopenmpt-0.3.15","libopenmpt-0.4.2","libopenmpt-0.4.1","OpenMPT-1.28.02.00","libopenmpt-0.3.14","libopenmpt-0.4.0","OpenMPT-1.27.11.00","libopenmpt-0.3.13","libopenmpt-0.3.12","OpenMPT-1.27.10.00","libopenmpt-0.3.11","OpenMPT-1.27.09.00","libopenmpt-0.3.10","OpenMPT-1.27.08.00","libopenmpt-0.3.9","libopenmpt-0.3.8","OpenMPT-1.27.07.00","libopenmpt-0.3.7","OpenMPT-1.27.06.00","OpenMPT-1.27.05.00","libopenmpt-0.3.6","libopenmpt-0.3.5","OpenMPT-1.27.04.00","libopenmpt-0.3.4","OpenMPT-1.27.03.00","libopenmpt-0.3.3","libopenmpt-0.3.2","OpenMPT-1.27.02.00","libopenmpt-0.3.1","libopenmpt-0.3.0","OpenMPT-1.27.01.00","libopenmpt-0.3.0-rc.1","libopenmpt-0.2.6774-beta20","OpenMPT-1.26.04.00","libopenmpt-0.2.6664-beta19","libopenmpt-0.2.6611-beta18","OpenMPT-1.26.03.00","OpenMPT-1.26.02.00","libopenmpt-0.2.6401-beta17","OpenMPT-1.26.01.00","libopenmpt-0.2.5787-beta16","OpenMPT-1.25.04.00","libopenmpt-0.2.5705-beta15","OpenMPT-1.25.03.00","libopenmpt-0.2.5602-beta14","OpenMPT-1.25.02.00","libopenmpt-0.2.5486-beta13","OpenMPT-1.25.01.00","libopenmpt-0.2.4954-beta12","OpenMPT-1.24.04.00","libopenmpt-0.2.4943-beta11","OpenMPT-1.24.03.00","libopenmpt-0.2.4764-beta10","OpenMPT-1.24.02.00","libopenmpt-0.2.4667-beta9","libopenmpt-0.2.4664-beta8","OpenMPT-1.24.01.00","libopenmpt-0.2.4259-beta7","libopenmpt-0.2.4238-beta6","OpenMPT-1.23.05.00","libopenmpt-0.2.4115-beta5","OpenMPT-1.23.04.00","OpenMPT-1.23.03.00","OpenMPT-1.23.02.00","OpenMPT-1.23.01.00","libopenmpt-0.2.3773-beta4","libopenmpt-0.2.3746-beta3","libopenmpt-0.2.3566-beta2","libopenmpt-0.2.3532-beta1","OpenMPT-1.22.05.00","OpenMPT-1.22.04.00","OpenMPT-1.22.03.00","OpenMPT-1.22.02.00","OpenMPT-1.22.01.00","OpenMPT-1.21.01.00","OpenMPT-1.20.04.00","OpenMPT-1.20.03.00","OpenMPT-1.20.02.00","OpenMPT-1.20.01.00","OpenMPT-1.19.02.00","OpenMPT-1.19.01.00","OpenMPT-1.18.03.00","OpenMPT-1.18.02.00","OpenMPT-1.18.00.00","OpenMPT-1.17.03.02","OpenMPT-1.17.02.52","OpenMPT-1.17.02.51","OpenMPT-1.17.02.50","OpenMPT-1.17.02.49","OpenMPT-1.17.02.48","OpenMPT-1.17.02.47","OpenMPT-1.17.02.46","OpenMPT-1.17.02.45","OpenMPT-1.17.02.44","OpenMPT-1.17.02.43","OpenMPT-1.17.02.42","OpenMPT-1.17.02.41","OpenMPT-1.16.0215a","OpenMPT-1.16.0214a","OpenMPT-1.16.0213a","ModplugWild-0.01","ModplugWild-0.00","ModPlugTracker-1.16.206","modplugxmms-1.5","modplugxmms-1.3a","modplugxmms-1.3","modplugxmms-1.2","modplugxmms-1.1.1","modplugxmms-1.1","modplugxmms-1.0.1"],"database_specific":{"vanir_signatures":[{"digest":{"length":473,"function_hash":"121755524753216487338359141637396621916"},"target":{"file":"libopenmpt/libopenmpt_modplug.c","function":"ModPlug_InstrumentName"},"id":"CVE-2019-17113-5a94aeed","signature_type":"Function","source":"https://github.com/openmpt/openmpt/commit/927688ddab43c2b203569de79407a899e734fabe","deprecated":false,"signature_version":"v1"},{"digest":{"length":473,"function_hash":"121755524753216487338359141637396621916"},"target":{"file":"libopenmpt/libopenmpt_modplug.c","function":"ModPlug_SampleName"},"id":"CVE-2019-17113-bbd7f97f","signature_type":"Function","source":"https://github.com/openmpt/openmpt/commit/927688ddab43c2b203569de79407a899e734fabe","deprecated":false,"signature_version":"v1"},{"digest":{"line_hashes":["15137006520975798157982784244436761769","319389042533568327372435745783798155690","175834122122421528935573979794879080078","85364868019126665323402967274050095718","162400446700791913887172407436624711760","171011490955096401468748371273866307010","86847947984317825780275639008358727743","125550102577571298604477066842723049840","183386591737951785450419093791505420657","243370328090283218716606685253546050524","235379790053459614316703527585808047537","122712867289023105350235613275155602080","298754661009136765841563697397390699555","227660598147743686660358009170027107794","225248469356832048749570511144260614254","197760849521062645755736383200098900124","216776309499977154594826668785968714047","57402251777980842054746115043937670337","85112477388076416240474858858843276408","193490365458804488790333101785733560541","34598925870867036267172285085294918978","124755474886407313515562343845084252101","305933534732701961008918986389267564390","304514908366703821864521344822901408793","59597573422709497756534687158413216566","10797416068852790919131841970650081501","319389042533568327372435745783798155690","175834122122421528935573979794879080078","204747611659904489742088010871220091216","245645347122837255285311110879305879482","51371068763528817040834630186361852604","132035236986210325750630829231183976551","125550102577571298604477066842723049840","183386591737951785450419093791505420657","243370328090283218716606685253546050524","235379790053459614316703527585808047537","122712867289023105350235613275155602080","298754661009136765841563697397390699555","227660598147743686660358009170027107794","225248469356832048749570511144260614254","197760849521062645755736383200098900124","216776309499977154594826668785968714047","57402251777980842054746115043937670337","85112477388076416240474858858843276408","193490365458804488790333101785733560541","34598925870867036267172285085294918978","124755474886407313515562343845084252101","36934497310234139229315131065946725217","171873332723303613762487247958910790674"],"threshold":0.9},"target":{"file":"libopenmpt/libopenmpt_modplug.c"},"id":"CVE-2019-17113-eded99ba","signature_type":"Line","source":"https://github.com/openmpt/openmpt/commit/927688ddab43c2b203569de79407a899e734fabe","deprecated":false,"signature_version":"v1"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-17113.json","vanir_signatures_modified":"2026-05-30T13:50:38Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}