[MPlayer-users] Bug? strf in audio header
Sven Tantau
sven at sven-tantau.de
Tue Aug 16 14:39:56 CEST 2005
Hello.
I spotted an exploitable problem inside mplayer.
Is someone able to reproduce this?
Download 'Animaniacs - Nations of the World.avi' / 6522776 from your
favorite p2p thing. Watch it. :)
Patch offset 0x12B to 0xFF.
Please read the fist version of my advisory and correct me if my
conclusion is wrong.
--------------------------------------------------------------------------------
Advisory: mplayer buffer overflow
Product: mplayer
Affected Version: current mplayer-1.0_pre7 (tested), mplayer-1.0_pre6-r4
(tested)
OS affected: Linux 2.4.* (tested), 2.6.*
Date: 16.08.2005
Author: Sven Tantau - http://www.sven-tantau.de/
Vendor-URL: http://www.mplayerhq.hu/
Vendor-Status: informed
Product
=======
>> man mplayer
DESCRIPTION
mplayer is a movie player for Linux (runs on many other platforms and
CPU architectures, see the documentation). It plays most
MPEG/VOB, AVI, ASF/WMA/WMV, RM, QT/MOV/MP4, OGG/OGM, MKV, VIVO, FLI,
NuppelVideo, yuv4mpeg, FILM and RoQ files, supported by many
native and binary codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX
3/4/5 and even WMV movies, too.
...
Details
=======
For high values of the 2 bytes strf parameter in the audio header of a
video file, it is possible to overflow sh_audio->a_buffer, overwrite the
instruction pointer and execute arbitrary code.
Not sure, but I think the problem is in:
af.c: int af_calc_insize_constrained(af_stream_t* s, int len,int
max_outsize,int max_insize);
...as this function is used to calculate declen in dec_audio.c, and
declen is supposed to prevent an overflow.
History
=======
2005-06-10 issue found by Sven Tantau
2005-06-16 vendor contacted and public disclosure
--------------------------------------------------------------------
Regards,
Sven
--
Sven Tantau
+49 177 7824828
http://www.sven-tantau.de/ *** http://www.beastiebytes.de/
http://twe.sven-tantau.de/ *** http://www.bewiso.de/
More information about the MPlayer-users
mailing list