what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

xfocus-SD-060329.txt

xfocus-SD-060329.txt
Posted Apr 1, 2006
Site xfocus.org

The XFOCUS team has discovered multiple integer overflows in MPlayer version 1.0.20060329 and below.

tags | advisory, overflow
SHA-256 | 63e762c39c00d599fa0d7e78eb9ca9d54e84981185e128bb6f6230abf893bf4d

xfocus-SD-060329.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[xfocus-SD-060329]MPlayer: Multiple integer overflows

MPlayer is a media player capable of handling multiple multimedia file
formats.

XFOCUS team (http://www.xfocus.org/) had discovered
Multiple integer overflows .Those can lead to a heap-based buffer
overflow. This could result in the execution of arbitrary code with the
permissions of the user running MPlayer.


Affected packages
=================

-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
media-video/mplayer <= 1.0.20060329

Description
===========

[1]in libmpdemux/asfheader.c
- -----------------------------------
218 asf_scrambling_h=buffer[0];
219 asf_scrambling_w=(buffer[2]<<8)|buffer[1];
220 asf_scrambling_b=(buffer[4]<<8)|buffer[3];
221 asf_scrambling_w/=asf_scrambling_b;
char convert to int ,int value would be negative number.
this lead to asf_descrambling() heap-based buffer overflow.


[2]in libmpdemux/aviheader.c
- -----------------------------------
218 s->wLongsPerEntry = stream_read_word_le(demuxer->stream);
219 s->bIndexSubType = stream_read_char(demuxer->stream);
220 s->bIndexType = stream_read_char(demuxer->stream);
221 s->nEntriesInUse = stream_read_dword_le(demuxer->stream);
222 *(uint32_t *)s->dwChunkId =
stream_read_dword_le(demuxer->stream);
223 stream_read(demuxer->stream, (char *)s->dwReserved, 3*4);
224 memset(s->dwReserved, 0, 3*4);
225
226 print_avisuperindex_chunk(s,MSGL_V);
227
228 msize = sizeof (uint32_t) * s->wLongsPerEntry *
s->nEntriesInUse;[ERROR]
229 s->aIndex = malloc(msize);
230 memset (s->aIndex, 0, msize);
231 s->stdidx = malloc (s->nEntriesInUse * sizeof
(avistdindex_chunk));[ERROR]
232 memset (s->stdidx, 0, s->nEntriesInUse * sizeof
(avistdindex_chunk));
233
234 // now the real index of indices
235 for (i=0; i<s->nEntriesInUse; i++) {
236 chunksize-=16;
237 s->aIndex[i].qwOffset =
stream_read_dword_le(demuxer->stream) & 0xffffffff;
238 s->aIndex[i].qwOffset |=
((uint64_t)stream_read_dword_le(demuxer->stream) & 0xffffffff)<<32;
239 s->aIndex[i].dwSize =
stream_read_dword_le(demuxer->stream);
240 s->aIndex[i].dwDuration =
stream_read_dword_le(demuxer->stream);
241 mp_msg (MSGT_HEADER, MSGL_V, "ODML (%.4s): [%d]
0x%016"PRIx64" 0x%04x %u\n",
242 (s->dwChunkId), i,
243 (uint64_t)s->aIndex[i].qwOffset,
s->aIndex[i].dwSize, s->aIndex[i].dwDuration);
244 }

[ERROR] two integer overflows lead to a heap-based buffer overflow.
NOTE: aviheader.c have another potential integer overflows.


ABOUT XCON (Ad Time ;) )
========================
XCon2006 the Fifth Information Security Conference will be held
in Beijing, China, during August 18-20, 2006. ...
more at xcon2006 call for paper
http://www.xfocus.org/documents/200603/14.html

Welcome ;)


- --

Kind Regards,

- ---
XFOCUS Security Team
http://www.xfocus.org



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEKiVkwhDwaF6cSWIRAppzAJ9cCFzXSN9yuU6gNqecBlGV1IaBOgCeJfGM
Vck95rxGIr86/9BZ3csUl0w=
=NdG5
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close