[UCI-Linux] XFOCUS Security Team: [VulnWatch] [xfocus-SD-060329]MPlayer: Multiple integer overflows

Mike Iglesias iglesias at draco.acs.uci.edu
Wed Mar 29 08:30:58 PST 2006 

If you are using mplayer on your linux system, look for an update soon.


------- Forwarded Message

Return-Path: vulnwatch-return-1736-iglesias=draco.acs.uci.edu at vulnwatch.org
Delivery-Date: Wed Mar 29 06:08:12 2006
Return-Path: <vulnwatch-return-1736-iglesias=draco.acs.uci.edu at vulnwatch.org>
Received: from vikki.vulnwatch.org (vikki.vulnwatch.org [199.201.145.182])
	by draco.acs.uci.edu (8.13.6/8.13.1) with SMTP id k2TE83gv002986
	for <iglesias at draco.acs.uci.edu>; Wed, 29 Mar 2006 06:08:08 -0800
Received: (qmail 10529 invoked by alias); 29 Mar 2006 14:21:32 -0000
Mailing-List: contact vulnwatch-help at vulnwatch.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:vulnwatch at vulnwatch.org>
List-Help: <mailto:vulnwatch-help at vulnwatch.org>
List-Unsubscribe: <mailto:vulnwatch-unsubscribe at vulnwatch.org>
List-Subscribe: <mailto:vulnwatch-subscribe at vulnwatch.org>
Delivered-To: mailing list vulnwatch at vulnwatch.org
Delivered-To: moderator for vulnwatch at vulnwatch.org
Received: (qmail 18358 invoked from network); 29 Mar 2006 07:13:53 -0000
Message-ID: <442A2564.9010600 at xfocus.org>
Date: Wed, 29 Mar 2006 14:12:52 +0800
From: XFOCUS Security Team <security at xfocus.org>
User-Agent: Mozilla Thunderbird 1.0.7-1.1.fc4 (X11/20050929)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk,
        vulnwatch at vulnwatch.org, mplayer-users at mplayerhq.hu
X-Enigmail-Version: 0.93.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: [VulnWatch] [xfocus-SD-060329]MPlayer: Multiple integer overflows
X-DRACO-MailScanner-Information: 
X-DRACO-MailScanner: No viruses found
X-MailScanner-From: vulnwatch-return-1736-iglesias=draco.acs.uci.edu at vulnwatch.org
Status: O
X-Status: 
X-Keywords:                  
X-UID: 100

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	[xfocus-SD-060329]MPlayer: Multiple integer overflows

  MPlayer is a media player capable of handling multiple multimedia file
formats.

  XFOCUS team (http://www.xfocus.org/) had  discovered
Multiple integer overflows .Those can lead to a heap-based buffer
overflow. This could result in the execution of arbitrary code with the
permissions of the user running MPlayer.


Affected packages
=================

    -------------------------------------------------------------------
     Package              /    Vulnerable    /              Unaffected
    -------------------------------------------------------------------
   media-video/mplayer     <= 1.0.20060329

Description
===========

[1]in libmpdemux/asfheader.c
- - -----------------------------------
    218           asf_scrambling_h=buffer[0];
    219           asf_scrambling_w=(buffer[2]<<8)|buffer[1];
    220           asf_scrambling_b=(buffer[4]<<8)|buffer[3];
    221           asf_scrambling_w/=asf_scrambling_b;
char convert to int ,int value would be negative number.
this lead to  asf_descrambling() heap-based buffer overflow.


[2]in libmpdemux/aviheader.c
- - -----------------------------------
    218       s->wLongsPerEntry = stream_read_word_le(demuxer->stream);
    219       s->bIndexSubType = stream_read_char(demuxer->stream);
    220       s->bIndexType = stream_read_char(demuxer->stream);
    221       s->nEntriesInUse = stream_read_dword_le(demuxer->stream);
    222       *(uint32_t *)s->dwChunkId =
stream_read_dword_le(demuxer->stream);
    223       stream_read(demuxer->stream, (char *)s->dwReserved, 3*4);
    224       memset(s->dwReserved, 0, 3*4);
    225
    226       print_avisuperindex_chunk(s,MSGL_V);
    227
    228       msize = sizeof (uint32_t) * s->wLongsPerEntry *
s->nEntriesInUse;[ERROR]
    229       s->aIndex = malloc(msize);
    230       memset (s->aIndex, 0, msize);
    231       s->stdidx = malloc (s->nEntriesInUse * sizeof
(avistdindex_chunk));[ERROR]
    232       memset (s->stdidx, 0, s->nEntriesInUse * sizeof
(avistdindex_chunk));
    233
    234       // now the real index of indices
    235       for (i=0; i<s->nEntriesInUse; i++) {
    236           chunksize-=16;
    237           s->aIndex[i].qwOffset =
stream_read_dword_le(demuxer->stream) & 0xffffffff;
    238           s->aIndex[i].qwOffset |=
((uint64_t)stream_read_dword_le(demuxer->stream) & 0xffffffff)<<32;
    239           s->aIndex[i].dwSize =
stream_read_dword_le(demuxer->stream);
    240           s->aIndex[i].dwDuration =
stream_read_dword_le(demuxer->stream);
    241           mp_msg (MSGT_HEADER, MSGL_V, "ODML (%.4s): [%d]
0x%016"PRIx64" 0x%04x %u\n",
    242                   (s->dwChunkId), i,
    243                   (uint64_t)s->aIndex[i].qwOffset,
s->aIndex[i].dwSize, s->aIndex[i].dwDuration);
    244       }

[ERROR] two integer overflows lead to a heap-based buffer overflow.
NOTE: aviheader.c have another potential integer overflows.


ABOUT XCON (Ad Time ;) )
========================
  XCon2006 the Fifth Information Security Conference will be held
in Beijing, China, during August 18-20, 2006. ...
  more at xcon2006 call for paper
  http://www.xfocus.org/documents/200603/14.html

  Welcome ;)


- - --

Kind Regards,

- - ---
XFOCUS Security Team
http://www.xfocus.org



- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEKiVkwhDwaF6cSWIRAppzAJ9cCFzXSN9yuU6gNqecBlGV1IaBOgCeJfGM
Vck95rxGIr86/9BZ3csUl0w=
=NdG5
- -----END PGP SIGNATURE-----

------- End of Forwarded Message

More information about the UCI-Linux mailing list