Full Disclosure mailing list archives
mplayer overflow
From: Sven Tantau <sven () sven-tantau de>
Date: Wed, 24 Aug 2005 04:34:49 +0200
Hello, is someone able to confirm this? ---------------------------------------------------------- Advisory: mplayer buffer overflow Product: mplayer Affected Version: 1.0_pre7 (tested), 1.0_pre6-r4 (tested), 1.0pre6-3.3.5-20050130 (confirmed) OS affected: Linux 2.4.* (tested), 2.6.* (confirmed), other OS not tested Date: 24.08.2005 Author: Sven Tantau - http://www.sven-tantau.de/ Advisory-URL: http://www.sven-tantau.de/public_files/mplayer/mplayer_20050824.txt Vendor-URL: http://www.mplayerhq.hu/ Vendor-Status: informed Product =======
man mplayer
DESCRIPTION mplayer is a movie player for Linux (runs on many other platforms and CPU architectures, see the documentation). It plays most MPEG/VOB, AVI, ASF/WMA/WMV, RM, QT/MOV/MP4, OGG/OGM, MKV, VIVO, FLI, NuppelVideo, yuv4mpeg, FILM and RoQ files, supported by many native and binary codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5 and even WMV movies, too. ... Details ======= For high values of the 2 bytes strf parameter in the audio header of a video file, it is possible to overflow sh_audio->a_buffer, overwrite the instruction pointer and execute arbitrary code. Not sure, but I think the problem is in: af.c: int af_calc_insize_constrained(af_stream_t* s, int len,int max_outsize,int max_insize); ...as this function is used to calculate declen in dec_audio.c, and declen is supposed to prevent an overflow. Instruction pointer gets overwritten in: libmpdemux/demuxer.c: int demux_read_data(demux_stream_t *ds,unsigned char* mem,int len); If would like to reproduce this or write an exploit: Get a copy of 'Animaniacs - Nations of the World.avi'. (md5: 5ef6428a55c7b00095e2cb5554490acf sha1: 1deeb9640f9864cd5b3db04ffc9a660039a172e4) Watch it. :) Patch offset 0x12B to 0xFF. Use gdb. Have fun. History ======= 2005-08-10 issue found by Sven Tantau 2005-08-16 vendor contacted and public disclosure 2005-08-24 no reaction from mplayer team, posting to full disclosure ---------------------------------------------------------- -- Sven Tantau +49 177 7824828 http://www.sven-tantau.de/ *** http://www.beastiebytes.de/ http://twe.sven-tantau.de/ *** http://www.bewiso.de/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- mplayer overflow Sven Tantau (Aug 23)