SecurityvulnsSECURITYVULNS:DOC:20845[TKADV2008-011] VLC media player RealText Processing Stack Overflow Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Advisory: VLC media player RealText Processing Stack Overflow
Vulnerability
Advisory ID: TKADV2008-011
Revision: 1.0
Release Date: 2008/11/05
Last Modified: 2008/11/05
Date Reported: 2008/11/03
Author: Tobias Klein (tk at trapkit.de)
Affected Software: VLC media player < 0.9.6
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://www.videolan.org/
Vendor Status: Vendor has released an updated version
Patch development time: 2 days
======================
Vulnerability details:
The VLC media player contains a stack overflow vulnerability while parsing
malformed RealText (rt) subtitle files. The vulnerability can be trivially
exploited by a (remote) attacker to execute arbitrary code in the context
of VLC media player.
VLC handles subtitles automatically. It just checks the presence of a
subtitle file with the same name of the loaded video. If such a subtitle
file is found, VLC loads and parses the file.
==================
Technical Details:
Source code file: modules\demux\subtitle.c
[…]
1843 static int ParseRealText( demux_t p_demux, subtitle_t p_subtitle,
int i_idx )
1844 {
1845 VLC_UNUSED( i_idx );
1846 demux_sys_t p_sys = p_demux->p_sys;
1847 text_t txt = &p_sys->txt;
1848 char psz_text = NULL;
1849 [1] char psz_end[12]= "", psz_begin[12] = "";
1850
1851 for( ;; )
1852 {
1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0;
1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0;
1855 const char s = TextGetLine( txt );
1856 free( psz_text );
1857
1858 if( !s )
1859 return VLC_EGENERIC;
1860
1861 psz_text = malloc( strlen( s ) + 1 );
1862 if( !psz_text )
1863 return VLC_ENOMEM;
1864
1865 / Find the good begining. This removes extra spaces at the
1866 beginning of the line./
1867 char psz_temp = strcasestr( s, "<time");
1868 if( psz_temp != NULL )
1869 {
1870 / Line has begin and end /
1871 [2] if( ( sscanf( psz_temp,
1872 "<%[t|T]ime %[b|B]egin=\"%[^\"]\"
%[e|E]nd=\"%[^\"]%[^>]%[^\n\r]",
1873 psz_begin, psz_end, psz_text) != 3 ) &&
1874 / Line has begin and no end /
1875 [3] ( sscanf( psz_temp,
1876 "<%[t|T]ime
%[b|B]egin=\"%[^\"]\"%[^>]%[^\n\r]",
1877 psz_begin, psz_text ) != 2) )
1878 /* Line is not recognized */
1879 {
1880 continue;
1881 }
[…]
[1] The stack buffers "psz_end" and "psz_begin" can be overflowed
[2] The sscanf() function reads its input from a user controlled character
string pointed to by "psz_temp". The user controlled data gets stored
in the stack buffers "psz_end" and "psz_begin" without any bounds
checking. This leads to a straight stack overflow that can be trivially
exploited by a (remote) attacker to execute arbitrary code in the
context of VLC.
[3] see [2]
=========
Solution:
See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].
========
History:
2008/11/03 - Vendor notified
2008/11/04 - Patch developed by VideoLAN team
2008/11/05 - Public disclosure of vulnerability details by the vendor
2008/11/05 - Release date of this security advisory
========
Credits:
Vulnerability found and advisory written by Tobias Klein.
===========
References:
[1] http://www.videolan.org/security/sa0810.html
[2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef65
1125701a2e33a8d75b815b3e39681a447
[3] http://www.trapkit.de/advisories/TKADV2008-011.txt
========
Changes:
Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release
===========
Disclaimer:
The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.
==================
PGP Signature Key:
http://www.trapkit.de/advisories/tk-advisories-signature-key.asc
Copyright 2008 Tobias Klein. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG
iD8DBQFJEzPUkXxgcAIbhEERAiEZAKDMp1El8xynNxp74AirlK4H4ccgJACeIsWD
2LuZrwTOVHnr7WWfN6UvJYg=
=xufj
-----END PGP SIGNATURE-----