-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: xine-lib Quicktime STTS Atom Integer Overflow Advisory ID: TKADV2009-005 Revision: 1.0 Release Date: 2009/04/04 Last Modified: 2009/04/04 Date Reported: 2009/03/05 Author: Tobias Klein (tk at trapkit.de) Affected Software: xine-lib <= version 1.1.16.2 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.xine-project.org/ Vendor Status: Vendor has released an updated version Patch development time: 30 days ====================== Vulnerability Details: ====================== Xine-lib contains an integer overflow vulnerability while parsing malformed STTS atoms of Quicktime movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of an application using the xine library. ================== Technical Details: ================== Source code file: xine-lib-1.1.16.2/src/demuxers/demux_qt.c: [...] 840 static qt_error parse_trak_atom (qt_trak *trak, 841 unsigned char *trak_atom) { ... 1535 } else if (current_atom == STTS_ATOM) { 1536 1537 /* there should only be one of these atoms */ 1538 if (trak->time_to_sample_table) { 1539 last_error = QT_HEADER_TROUBLE; 1540 goto free_trak; 1541 } 1542 1543 [1] trak->time_to_sample_count = _X_BE_32(&trak_atom[i + 8]); 1544 1545 debug_atom_load(" qt stts atom (time-to-sample atom): %d entries\n", 1546 trak->time_to_sample_count); 1547 1548 [2] trak->time_to_sample_table = (time_to_sample_table_t *)calloc( 1549 trak->time_to_sample_count+1, sizeof(time_to_sample_table_t)); 1550 if (!trak->time_to_sample_table) { 1551 last_error = QT_NO_MEMORY; 1552 goto free_trak; 1553 } 1554 1555 /* load the time to sample table */ 1556 [3] for (j = 0; j < trak->time_to_sample_count; j++) { 1557 [4] trak->time_to_sample_table[j].count = 1558 _X_BE_32(&trak_atom[i + 12 + j * 8 + 0]); 1559 [5] trak->time_to_sample_table[j].duration = 1560 _X_BE_32(&trak_atom[i + 12 + j * 8 + 4]); 1561 debug_atom_load(" %d: count = %d, duration = %d\n", 1562 j, trak->time_to_sample_table[j].count, 1563 trak->time_to_sample_table[j].duration); 1564 } 1565 trak->time_to_sample_table[j].count = 0; /* terminate with zero*/ 1566 } 1567 } [...] [1] The unsigned int variable "trak->time_to_sample_count" is filled with user supplied data from the media file. [2] In the lines 1548 and 1549 an integer overflow happens as the first argument to calloc() is calculated with the addition "trak- >time_to_sample_count+1". A user supplied "trak->time_to_sample_count" of UINT_MAX (0xffffffff) will cause an integer overflow within the first parameter of calloc() and therefore only allocate a 0 byte buffer. Please notice that calloc(0, sizeof(time_to_sample_table_t)) will not return a NULL pointer but a pointer into the legal heap on at least platforms like Windows and Linux. [3] The value of "trak->time_to_sample_count" is used as a counter in this for() loop. [4] User controlled data from the quicktime movie file gets copied into the previously allocated heap buffer (see [2]). As "j" is used as an array index and the for() loop is executed until "j < trak- >time_to_sample_count" it is possible to overflow the heap buffer with user controlled data from the quicktime movie file. [5] Same as [4] ========= Solution: ========= Upgrade to xine-lib >= 1.1.16.3. ======== History: ======== 2009/03/05 - xine-lib maintainers notified (bugs.xine-project.org) 2009/04/03 - Public disclosure of vulnerability details by xine-lib maintainers 2009/04/04 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.xine-project.org/ [2] http://bugs.xine-project.org/show_bug.cgi?id=224 [3] http://www.trapkit.de/advisories/TKADV2009-005.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2009 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG iD8DBQFJ1y4ykXxgcAIbhEERAnHOAJ9n3LxWPCazqhQTHBQu+1PFgQgxVACglY2D o6dqfG6/E0Orbcb3Xk0zV+8= =+9V8 -----END PGP SIGNATURE-----