-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               VLC media player RealText Processing Stack Overflow
                        Vulnerability
Advisory ID:            TKADV2008-011
Revision:               1.0              
Release Date:           2008/11/05 
Last Modified:          2008/11/05 
Date Reported:          2008/11/03
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      VLC media player < 0.9.6
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://www.videolan.org/ 
Vendor Status:          Vendor has released an updated version
Patch development time: 2 days


======================
Vulnerability details: 
======================

The VLC media player contains a stack overflow vulnerability while parsing
malformed RealText (rt) subtitle files. The vulnerability can be trivially 
exploited by a (remote) attacker to execute arbitrary code in the context 
of VLC media player.

VLC handles subtitles automatically. It just checks the presence of a
subtitle file with the same name of the loaded video. If such a subtitle 
file is found, VLC loads and parses the file.


==================
Technical Details:
==================

Source code file: modules\demux\subtitle.c

[...]
1843  static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle, 
                                int i_idx )
1844  {
1845     VLC_UNUSED( i_idx );
1846     demux_sys_t *p_sys = p_demux->p_sys;
1847     text_t      *txt = &p_sys->txt;
1848     char *psz_text = NULL;
1849 [1] char psz_end[12]= "", psz_begin[12] = "";
1850
1851     for( ;; )
1852     {
1853        int h1 = 0, m1 = 0, s1 = 0, f1 = 0;
1854        int h2 = 0, m2 = 0, s2 = 0, f2 = 0;
1855        const char *s = TextGetLine( txt );
1856        free( psz_text );
1857
1858        if( !s )
1859            return VLC_EGENERIC;
1860
1861        psz_text = malloc( strlen( s ) + 1 );
1862        if( !psz_text )
1863            return VLC_ENOMEM;
1864
1865        /* Find the good begining. This removes extra spaces at the 
1866           beginning of the line.*/
1867        char *psz_temp = strcasestr( s, "<time");
1868        if( psz_temp != NULL )
1869        {
1870            /* Line has begin and end */
1871 [2]        if( ( sscanf( psz_temp,
1872                  "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\" 
                        %*[e|E]nd=\"%[^\"]%*[^>]%[^\n\r]",
1873                            psz_begin, psz_end, psz_text) != 3 ) &&
1874                    /* Line has begin and no end */
1875 [3]                ( sscanf( psz_temp,
1876                              "<%*[t|T]ime 
                                    %*[b|B]egin=\"%[^\"]\"%*[^>]%[^\n\r]",
1877                              psz_begin, psz_text ) != 2) )
1878                /* Line is not recognized */
1879            {
1880                continue;
1881            }
[...]

[1] The stack buffers "psz_end" and "psz_begin" can be overflowed
[2] The sscanf() function reads its input from a user controlled character 
    string pointed to by "psz_temp". The user controlled data gets stored 
    in the stack buffers "psz_end" and "psz_begin" without any bounds 
    checking. This leads to a straight stack overflow that can be trivially
    exploited by a (remote) attacker to execute arbitrary code in the 
    context of VLC. 
[3] see [2]


========= 
Solution: 
=========

  See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].


======== 
History: 
========

  2008/11/03 - Vendor notified
  2008/11/04 - Patch developed by VideoLAN team  
  2008/11/05 - Public disclosure of vulnerability details by the vendor
  2008/11/05 - Release date of this security advisory


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

 [1] http://www.videolan.org/security/sa0810.html
 [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef65
     1125701a2e33a8d75b815b3e39681a447
 [3] http://www.trapkit.de/advisories/TKADV2008-011.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG 

iD8DBQFJEzPUkXxgcAIbhEERAiEZAKDMp1El8xynNxp74AirlK4H4ccgJACeIsWD
2LuZrwTOVHnr7WWfN6UvJYg=
=xufj
-----END PGP SIGNATURE-----