what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

xine-lib Quicktime STTS Atom Integer Overflow

xine-lib Quicktime STTS Atom Integer Overflow
Posted Apr 6, 2009
Authored by Tobias Klein | Site trapkit.de

Xine-lib contains an integer overflow vulnerability while parsing malformed STTS atoms of Quicktime movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of an application using the xine library. Versions 1.1.16.2 and below are affected.

tags | advisory, remote, overflow, arbitrary
SHA-256 | e630315f5a4f17bed6c30a6e60f105c698b76e14980eecb44cd918005fc63440

xine-lib Quicktime STTS Atom Integer Overflow

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: xine-lib Quicktime STTS Atom Integer Overflow
Advisory ID: TKADV2009-005
Revision: 1.0
Release Date: 2009/04/04
Last Modified: 2009/04/04
Date Reported: 2009/03/05
Author: Tobias Klein (tk at trapkit.de)
Affected Software: xine-lib <= version 1.1.16.2
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://www.xine-project.org/
Vendor Status: Vendor has released an updated version
Patch development time: 30 days


======================
Vulnerability Details:
======================

Xine-lib contains an integer overflow vulnerability while parsing malformed
STTS atoms of Quicktime movie files. The vulnerability may be exploited by
a (remote) attacker to execute arbitrary code in the context of an
application using the xine library.


==================
Technical Details:
==================

Source code file: xine-lib-1.1.16.2/src/demuxers/demux_qt.c:

[...]
840 static qt_error parse_trak_atom (qt_trak *trak,
841 unsigned char *trak_atom) {
...
1535 } else if (current_atom == STTS_ATOM) {
1536
1537 /* there should only be one of these atoms */
1538 if (trak->time_to_sample_table) {
1539 last_error = QT_HEADER_TROUBLE;
1540 goto free_trak;
1541 }
1542
1543 [1] trak->time_to_sample_count = _X_BE_32(&trak_atom[i + 8]);
1544
1545 debug_atom_load(" qt stts atom (time-to-sample atom): %d
entries\n",
1546 trak->time_to_sample_count);
1547
1548 [2] trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
1549 trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));
1550 if (!trak->time_to_sample_table) {
1551 last_error = QT_NO_MEMORY;
1552 goto free_trak;
1553 }
1554
1555 /* load the time to sample table */
1556 [3] for (j = 0; j < trak->time_to_sample_count; j++) {
1557 [4] trak->time_to_sample_table[j].count =
1558 _X_BE_32(&trak_atom[i + 12 + j * 8 + 0]);
1559 [5] trak->time_to_sample_table[j].duration =
1560 _X_BE_32(&trak_atom[i + 12 + j * 8 + 4]);
1561 debug_atom_load(" %d: count = %d, duration = %d\n",
1562 j, trak->time_to_sample_table[j].count,
1563 trak->time_to_sample_table[j].duration);
1564 }
1565 trak->time_to_sample_table[j].count = 0; /* terminate with zero*/
1566 }
1567 }
[...]

[1] The unsigned int variable "trak->time_to_sample_count" is filled with
user supplied data from the media file.
[2] In the lines 1548 and 1549 an integer overflow happens as the first
argument to calloc() is calculated with the addition "trak-
>time_to_sample_count+1". A user supplied "trak->time_to_sample_count"
of UINT_MAX (0xffffffff) will cause an integer overflow within the
first parameter of calloc() and therefore only allocate a 0 byte
buffer. Please notice that calloc(0, sizeof(time_to_sample_table_t))
will not return a NULL pointer but a pointer into the legal heap on at
least platforms like Windows and Linux.
[3] The value of "trak->time_to_sample_count" is used as a counter in this
for() loop.
[4] User controlled data from the quicktime movie file gets copied into the
previously allocated heap buffer (see [2]). As "j" is used as an array
index and the for() loop is executed until "j < trak-
>time_to_sample_count" it is possible to overflow the heap buffer with
user controlled data from the quicktime movie file.
[5] Same as [4]


=========
Solution:
=========

Upgrade to xine-lib >= 1.1.16.3.


========
History:
========

2009/03/05 - xine-lib maintainers notified (bugs.xine-project.org)
2009/04/03 - Public disclosure of vulnerability details by xine-lib
maintainers
2009/04/04 - Release date of this security advisory


========
Credits:
========

Vulnerability found and advisory written by Tobias Klein.


===========
References:
===========

[1] http://www.xine-project.org/
[2] http://bugs.xine-project.org/show_bug.cgi?id=224
[3] http://www.trapkit.de/advisories/TKADV2009-005.txt


========
Changes:
========

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


==================
PGP Signature Key:
==================

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc


Copyright 2009 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJ1y4ykXxgcAIbhEERAnHOAJ9n3LxWPCazqhQTHBQu+1PFgQgxVACglY2D
o6dqfG6/E0Orbcb3Xk0zV+8=
=+9V8
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close