lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080320211313.48157b10.aluigi@autistici.org>
Date: Thu, 20 Mar 2008 21:13:13 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	packet@...ketstormsecurity.org, cert@...t.org, news@...uriteam.com,
	vuln@...unia.com
Subject: Multiple heap overflows in xine-lib 1.1.11


#######################################################################

                             Luigi Auriemma

Application:  xine-lib
              http://xinehq.de
Versions:     <= 1.1.11
Platforms:    Linux, *BSD, Solaris, Irix, MacOSX, Windows and others
Bugs:         A] heap-overflow in demux_flv
              B] heap-overflow in demux_qt
              C] heap-overflow in demux_real
              D] heap-overflow in demux_wc3movie
              E] heap-overflow in ebml
              F] heap-overflow in demux_film
Exploitation: local
Date:         20 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>>From developers website:
"xine is a free (gpl-licensed) high-performance, portable and reusable
multimedia playback engine. xine itself is a shared library with an
easy to use, yet powerful API  which is used by many applications for
smooth video playback and video processing purposes."

The library and parts of its source code are widely used in many open
source players and projects.


#######################################################################

=======
2) Bugs
=======


xine-lib is affected by various heap overflow vulnerabilities caused by
the wrong 32 bit calculation of the amount of memory to allocate for
some destination buffers and arrays.
These bugs allow an attacker to control some registers or directly the
code flow (like with demux_qt) which could leat to the execution of
malicious code.
For brevity will be showed directly the instructions in the source code
which do these bad allocations.


-----------------------------
A] heap-overflow in demux_flv
-----------------------------

>>From src/demuxers/demux_flv.c:

static int parse_flv_var(demux_flv_t *this, 
                         unsigned char *buf, int size, char *key, int keylen) {
          ...
          this->index = xine_xmalloc(num*sizeof(flv_index_entry_t));
          ...
          this->index = xine_xmalloc(num*sizeof(flv_index_entry_t));


----------------------------
B] heap-overflow in demux_qt
----------------------------

Practically almost any allocation instruction in
src/demuxers/demux_qt.c is vulnerable to various types of heap
overflows.


------------------------------
C] heap-overflow in demux_real
------------------------------

>>From src/demuxers/demux_real.c:

static void real_parse_index(demux_real_t *this) {
        ...
        *index = xine_xmalloc(entries * sizeof(real_index_entry_t));


----------------------------------
D] heap-overflow in demux_wc3movie
----------------------------------

>>From src/demuxers/demux_wc3movie.c:

static int open_mve_file(demux_mve_t *this) {
  ...
  this->palettes = xine_xmalloc(this->number_of_shots * PALETTE_SIZE *
    sizeof(palette_entry_t));

Note that the output buffer is filled using a special lookup table.


------------------------
E] heap-overflow in ebml
------------------------

>>From src/demuxers/ebml.c:

int ebml_check_header(ebml_parser_t *ebml) {
        ...
        char *text = malloc(elem.len + 1);


------------------------------
F] heap-overflow in demux_film
------------------------------

>>From src/demuxers/demux_film.c:

static int open_film_file(demux_film_t *film) {
      ...
      film->sample_table =
        xine_xmalloc(film->sample_count * sizeof(film_sample_t));


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/xinehof.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ