Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:19464
HistoryMar 21, 2008 - 12:00 a.m.

Multiple heap overflows in xine-lib 1.1.11

2008-03-2100:00:00
vulners.com
9
JSON

#######################################################################

                         Luigi Auriemma

Application: xine-lib
http://xinehq.de
Versions: <= 1.1.11
Platforms: Linux, *BSD, Solaris, Irix, MacOSX, Windows and others
Bugs: A] heap-overflow in demux_flv
B] heap-overflow in demux_qt
C] heap-overflow in demux_real
D] heap-overflow in demux_wc3movie
E] heap-overflow in ebml
F] heap-overflow in demux_film
Exploitation: local
Date: 20 Mar 2008
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

From developers website:
"xine is a free (gpl-licensed) high-performance, portable and reusable
multimedia playback engine. xine itself is a shared library with an
easy to use, yet powerful API which is used by many applications for
smooth video playback and video processing purposes."

The library and parts of its source code are widely used in many open
source players and projects.

#######################################################################

=======
2) Bugs

xine-lib is affected by various heap overflow vulnerabilities caused by
the wrong 32 bit calculation of the amount of memory to allocate for
some destination buffers and arrays.
These bugs allow an attacker to control some registers or directly the
code flow (like with demux_qt) which could leat to the execution of
malicious code.
For brevity will be showed directly the instructions in the source code
which do these bad allocations.

A] heap-overflow in demux_flv

From src/demuxers/demux_flv.c:

static int parse_flv_var(demux_flv_t *this,
unsigned char buf, int size, char key, int keylen) {

this->index = xine_xmalloc(numsizeof(flv_index_entry_t));

this->index = xine_xmalloc(numsizeof(flv_index_entry_t));

B] heap-overflow in demux_qt

Practically almost any allocation instruction in
src/demuxers/demux_qt.c is vulnerable to various types of heap
overflows.

C] heap-overflow in demux_real

From src/demuxers/demux_real.c:

static void real_parse_index(demux_real_t *this) {

*index = xine_xmalloc(entries * sizeof(real_index_entry_t));

D] heap-overflow in demux_wc3movie

From src/demuxers/demux_wc3movie.c:

static int open_mve_file(demux_mve_t *this) {

this->palettes = xine_xmalloc(this->number_of_shots * PALETTE_SIZE *
sizeof(palette_entry_t));

Note that the output buffer is filled using a special lookup table.

E] heap-overflow in ebml

From src/demuxers/ebml.c:

int ebml_check_header(ebml_parser_t *ebml) {

char *text = malloc(elem.len + 1);

F] heap-overflow in demux_film

From src/demuxers/demux_film.c:

static int open_film_file(demux_film_t *film) {

film->sample_table =
xine_xmalloc(film->sample_count * sizeof(film_sample_t));

#######################################################################

===========
3) The Code

http://aluigi.org/poc/xinehof.zip

#######################################################################

======
4) Fix

No fix

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON