-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               VLC media player TiVo ty Processing Stack Overflow 
                        Vulnerability
Advisory ID:            TKADV2008-010
Revision:               1.0              
Release Date:           2008/10/20 
Last Modified:          2008/10/20 
Date Reported:          2008/10/18
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      VLC media player <= 0.9.4
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://www.videolan.org/ 
Vendor Status:          Vendor has released an updated version       
Patch development time: 1 day

                    
======================
Vulnerability details: 
======================

The VLC media player contains a stack overflow vulnerability while parsing
malformed TiVo ty media files. The vulnerability can be trivially exploited
by a (remote) attacker to execute arbitrary code in the context of VLC 
media player.


==================
Technical Details:
==================

Source code file: modules\demux\Ty.c

[...]
1623	static void parse_master(demux_t *p_demux)
1624	{
1625	  demux_sys_t *p_sys = p_demux->p_sys;
1626	  uint8_t mst_buf[32];  <-- [1]
1627	  int i, i_map_size;
1628	  int64_t i_save_pos = stream_Tell(p_demux->s);
1629	  int64_t i_pts_secs;
1630	
1631	  /* Note that the entries in the SEQ table in the stream may have
1632	     different sizes depending on the bits per entry.  We store them
1633	     all in the same size structure, so we have to parse them out one
1634	     by one.  If we had a dynamic structure, we could simply read the
1635	     entire table directly from the stream into memory in place. */
1636	
1637	  /* clear the SEQ table */
1638	  free(p_sys->seq_table);
1639	    
1640	  /* parse header info */
1641	  stream_Read(p_demux->s, mst_buf, 32);  <-- [2]
1642	  i_map_size = U32_AT(&mst_buf[20]);  <-- [3]
1643	  p_sys->i_bits_per_seq_entry = i_map_size * 8;
1644	  i = U32_AT(&mst_buf[28]);   /* size of SEQ table, in bytes */
1645	  p_sys->i_seq_table_size = i / (8 + i_map_size);
1646	
1647	  /* parse all the entries */
1648	  p_sys->seq_table = malloc(p_sys->i_seq_table_size * 
                                  sizeof(ty_seq_table_t));
1649	  for (i=0; i<p_sys->i_seq_table_size; i++) {
1650	      stream_Read(p_demux->s, mst_buf, 8 + i_map_size);  <-- [4]
[...]

[1] This stack buffer can be overflowed
[2] 32 bytes of user controlled file data are copied into "mst_buf"
[3] "i_map_size" is extracted from the user controlled file data 
[4] The user controlled value of "i_map_size" is used as a length value 
    for the "stream_Read()" function. This function copies "i_map_size" 
    bytes of file data (that can also be controlled by the attacker) into 
    the stack buffer "mst_buf". This leads to a straight stack overflow 
    that can be trivially exploited by a (remote) attacker to execute 
    arbitrary code in the context of VLC.


========= 
Solution: 
=========

  See "Workarounds" and "Solution" sections of the VideoLAN-SA-0809 [1].


======== 
History: 
========

  2008/10/18 - Vendor notified
  2008/10/18 - Patch developed 
  2008/10/20 - Public disclosure of vulnerability details by the vendor
  2008/10/20 - Release date of this security advisory


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

 [1] http://www.videolan.org/security/sa0809.html
 [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=26d92b87bba99b5ea2
     e17b7eaa39c462d65e9133
 [3] http://www.trapkit.de/advisories/TKADV2008-010.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release
  

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG 

iD8DBQFI/NfLkXxgcAIbhEERAvEkAJ9odKw1+t5W/DECP1SVllB4aVm50gCgnh7t
sVoBGqJAPMNOQTaYy/88V3g=
=OlPB
-----END PGP SIGNATURE-----