MPlayer: Multiple integer overflows

2006.03.29
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [xfocus-SD-060329]MPlayer: Multiple integer overflows MPlayer is a media player capable of handling multiple multimedia file formats. XFOCUS team (http://www.xfocus.org/) had discovered Multiple integer overflows .Those can lead to a heap-based buffer overflow. This could result in the execution of arbitrary code with the permissions of the user running MPlayer. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- media-video/mplayer <= 1.0.20060329 Description =========== [1]in libmpdemux/asfheader.c - ----------------------------------- 218 asf_scrambling_h=buffer[0]; 219 asf_scrambling_w=(buffer[2]<<8)|buffer[1]; 220 asf_scrambling_b=(buffer[4]<<8)|buffer[3]; 221 asf_scrambling_w/=asf_scrambling_b; char convert to int ,int value would be negative number. this lead to asf_descrambling() heap-based buffer overflow. [2]in libmpdemux/aviheader.c - ----------------------------------- 218 s->wLongsPerEntry = stream_read_word_le(demuxer->stream); 219 s->bIndexSubType = stream_read_char(demuxer->stream); 220 s->bIndexType = stream_read_char(demuxer->stream); 221 s->nEntriesInUse = stream_read_dword_le(demuxer->stream); 222 *(uint32_t *)s->dwChunkId = stream_read_dword_le(demuxer->stream); 223 stream_read(demuxer->stream, (char *)s->dwReserved, 3*4); 224 memset(s->dwReserved, 0, 3*4); 225 226 print_avisuperindex_chunk(s,MSGL_V); 227 228 msize = sizeof (uint32_t) * s->wLongsPerEntry * s->nEntriesInUse;[ERROR] 229 s->aIndex = malloc(msize); 230 memset (s->aIndex, 0, msize); 231 s->stdidx = malloc (s->nEntriesInUse * sizeof (avistdindex_chunk));[ERROR] 232 memset (s->stdidx, 0, s->nEntriesInUse * sizeof (avistdindex_chunk)); 233 234 // now the real index of indices 235 for (i=0; i<s->nEntriesInUse; i++) { 236 chunksize-=16; 237 s->aIndex[i].qwOffset = stream_read_dword_le(demuxer->stream) & 0xffffffff; 238 s->aIndex[i].qwOffset |= ((uint64_t)stream_read_dword_le(demuxer->stream) & 0xffffffff)<<32; 239 s->aIndex[i].dwSize = stream_read_dword_le(demuxer->stream); 240 s->aIndex[i].dwDuration = stream_read_dword_le(demuxer->stream); 241 mp_msg (MSGT_HEADER, MSGL_V, "ODML (%.4s): [%d] 0x%016"PRIx64" 0x%04x %un", 242 (s->dwChunkId), i, 243 (uint64_t)s->aIndex[i].qwOffset, s->aIndex[i].dwSize, s->aIndex[i].dwDuration); 244 } [ERROR] two integer overflows lead to a heap-based buffer overflow. NOTE: aviheader.c have another potential integer overflows. ABOUT XCON (Ad Time ;) ) ======================== XCon2006 the Fifth Information Security Conference will be held in Beijing, China, during August 18-20, 2006. ... more at xcon2006 call for paper http://www.xfocus.org/documents/200603/14.html Welcome ;) - -- Kind Regards, - --- XFOCUS Security Team http://www.xfocus.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFEKiVkwhDwaF6cSWIRAppzAJ9cCFzXSN9yuU6gNqecBlGV1IaBOgCeJfGM Vck95rxGIr86/9BZ3csUl0w= =NdG5 -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top