Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12021
HistoryMar 29, 2006 - 12:00 a.m.

[Full-disclosure] [xfocus-SD-060329]MPlayer: Multiple integer overflows

2006-03-2900:00:00
vulners.com
19
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    [xfocus-SD-060329]MPlayer: Multiple integer overflows

MPlayer is a media player capable of handling multiple multimedia file
formats.

XFOCUS team (http://www.xfocus.org/) had discovered
Multiple integer overflows .Those can lead to a heap-based buffer
overflow. This could result in the execution of arbitrary code with the
permissions of the user running MPlayer.

Affected packages

-------------------------------------------------------------------
 Package              /    Vulnerable    /              Unaffected
-------------------------------------------------------------------

media-video/mplayer <= 1.0.20060329

Description

[1]in libmpdemux/asfheader.c

218           asf_scrambling_h=buffer[0];
219           asf_scrambling_w=&#40;buffer[2]&lt;&lt;8&#41;|buffer[1];
220           asf_scrambling_b=&#40;buffer[4]&lt;&lt;8&#41;|buffer[3];
221           asf_scrambling_w/=asf_scrambling_b;

char convert to int ,int value would be negative number.
this lead to asf_descrambling() heap-based buffer overflow.

[2]in libmpdemux/aviheader.c

218       s-&gt;wLongsPerEntry = stream_read_word_le&#40;demuxer-&gt;stream&#41;;
219       s-&gt;bIndexSubType = stream_read_char&#40;demuxer-&gt;stream&#41;;
220       s-&gt;bIndexType = stream_read_char&#40;demuxer-&gt;stream&#41;;
221       s-&gt;nEntriesInUse = stream_read_dword_le&#40;demuxer-&gt;stream&#41;;
222       *&#40;uint32_t *&#41;s-&gt;dwChunkId =

stream_read_dword_le(demuxer->stream);
223 stream_read(demuxer->stream, (char )s->dwReserved, 34);
224 memset(s->dwReserved, 0, 3*4);
225
226 print_avisuperindex_chunk(s,MSGL_V);
227
228 msize = sizeof (uint32_t) * s->wLongsPerEntry *
s->nEntriesInUse;[ERROR]
229 s->aIndex = malloc(msize);
230 memset (s->aIndex, 0, msize);
231 s->stdidx = malloc (s->nEntriesInUse * sizeof
(avistdindex_chunk));[ERROR]
232 memset (s->stdidx, 0, s->nEntriesInUse * sizeof
(avistdindex_chunk));
233
234 // now the real index of indices
235 for (i=0; i<s->nEntriesInUse; i++) {
236 chunksize-=16;
237 s->aIndex[i].qwOffset =
stream_read_dword_le(demuxer->stream) & 0xffffffff;
238 s->aIndex[i].qwOffset |=
((uint64_t)stream_read_dword_le(demuxer->stream) & 0xffffffff)<<32;
239 s->aIndex[i].dwSize =
stream_read_dword_le(demuxer->stream);
240 s->aIndex[i].dwDuration =
stream_read_dword_le(demuxer->stream);
241 mp_msg (MSGT_HEADER, MSGL_V, "ODML (%.4s): [%d]
0x%016"PRIx64" 0x%04x %u\n",
242 (s->dwChunkId), i,
243 (uint64_t)s->aIndex[i].qwOffset,
s->aIndex[i].dwSize, s->aIndex[i].dwDuration);
244 }

[ERROR] two integer overflows lead to a heap-based buffer overflow.
NOTE: aviheader.c have another potential integer overflows.

ABOUT XCON (Ad Time ;) )

XCon2006 the Fifth Information Security Conference will be held
in Beijing, China, during August 18-20, 2006. …
more at xcon2006 call for paper
http://www.xfocus.org/documents/200603/14.html

Welcome ;)

Kind Regards,

XFOCUS Security Team
http://www.xfocus.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEKiVkwhDwaF6cSWIRAppzAJ9cCFzXSN9yuU6gNqecBlGV1IaBOgCeJfGM
Vck95rxGIr86/9BZ3csUl0w=
=NdG5
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON