Some instructions in Game_Music_Emu's SPC700 core are so broken with respect to clamping of X and Y values that an SPC file can pwn the user account.
Source: "Redux: compromising Linux using... SNES Ricoh 5A22 [sic] processor opcodes?!" by Chris Evans, via a tweet by Hector Martin
tl;dr: CPU registers in the SPC core are 32-bit for speed, and instruction $AF (MOV (X)+,A) doesn't clamp the values it writes to register X. Nor does the aaaa,X addressing mode wrap within $0000-$FFFF; it continues on to $10000-$100FE. These vulnerabilities and some clever coding involving MUL and DIV instructions allow building up huge and/or negative values in the X and Y registers to read the virtual method table, corrupt other parts of the emulator state to find free(), find system(), and build a new virtual method table in A-RAM through which the SPC700 code can call anything.
Source: "Redux: compromising Linux using... SNES Ricoh 5A22 [sic] processor opcodes?!" by Chris Evans, via a tweet by Hector Martin
tl;dr: CPU registers in the SPC core are 32-bit for speed, and instruction $AF (MOV (X)+,A) doesn't clamp the values it writes to register X. Nor does the aaaa,X addressing mode wrap within $0000-$FFFF; it continues on to $10000-$100FE. These vulnerabilities and some clever coding involving MUL and DIV instructions allow building up huge and/or negative values in the X and Y registers to read the virtual method table, corrupt other parts of the emulator state to find free(), find system(), and build a new virtual method table in A-RAM through which the SPC700 code can call anything.