lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20070301120845.GA16@fugu1.local>
Date: Thu, 1 Mar 2007 13:08:45 +0100
From: Moritz Jodeit <moritz@...eit.org>
To: full-disclosure@...ts.grok.org.uk
Subject: MPlayer DMO buffer overflow

There's an exploitable buffer overflow in the current version of
MPlayer (v1.0rc1) which can be exploited with a maliciously crafted
video file. It's hidden in the function DMO_VideoDecoder() in the
file loader/dmo/DMO_VideoDecoder.c. The variable format->biSize gets
its value directly from the video file, and thus can have any value
up to LONG_MAX. In line 136 it is used without any further checks as
the length argument to the memcpy() call, which can overflow the
this->m_sVhdr->bmiHeader buffer with data directly from the video file.

117         unsigned int bihs;
118
119         bihs = (format->biSize < (int) sizeof(BITMAPINFOHEADER)) ?
120             sizeof(BITMAPINFOHEADER) : format->biSize;
121
122         this->iv.m_bh = malloc(bihs);
123         memcpy(this->iv.m_bh, format, bihs);
124
125         this->iv.m_State = STOP;
126         //this->iv.m_pFrame = 0;
127         this->iv.m_Mode = DIRECT;
128         this->iv.m_iDecpos = 0;
129         this->iv.m_iPlaypos = -1;
130         this->iv.m_fQuality = 0.0f;
131         this->iv.m_bCapable16b = true;
132
133         bihs += sizeof(VIDEOINFOHEADER) - sizeof(BITMAPINFOHEADER);
134         this->m_sVhdr = malloc(bihs);
135         memset(this->m_sVhdr, 0, bihs);
136         memcpy(&this->m_sVhdr->bmiHeader, this->iv.m_bh, this->iv.m_bh->biSize);

This got fixed [1] in trunk two weeks ago.

[1] http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c?r1=22019&r2=22204

Best,
Moritz Jodeit

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ