-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: VLC media player RealMedia Processing Integer Overflow Vulnerability Advisory ID: TKADV2008-013 Revision: 1.1 Release Date: 2008/11/30 Last Modified: 2008/12/20 Date Reported: 2008/11/14 Author: Tobias Klein (tk at trapkit.de) Affected Software: VLC media player < 0.9.8a Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.videolan.org/ Vendor Status: Vendor has released an updated version CVE-ID: CVE-2008-5276 Patch development time: 18 days ====================== Vulnerability Details: ====================== The VLC media player contains an integer overflow vulnerability while parsing malformed RealMedia (.rm) files. The vulnerability leads to a heap overflow that can be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. ================== Technical Details: ================== Source code file: modules\demux\real.c [...] 891 static void ReadRealIndex( demux_t *p_demux ) 892 { ... 900 uint32_t i_index_count; ... 920 [1] i_index_count = GetDWBE( &buffer[10] ); ... 931 [2] p_sys->p_index = 932 (rm_index_t *)malloc( sizeof( rm_index_t ) * (i_index_count+1) ); 933 if( p_sys->p_index == NULL ) 934 return; 935 936 memset(p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1)); 937 938 [3] for( i=0; is, buffer, 14 ) < 14 ) 941 return ; 942 943 [7] if( GetWBE( &buffer[0] ) != 0 ) 944 { 945 msg_Dbg( p_demux, "Real Index: invaild version of index entry %d ", 946 GetWBE( &buffer[0] ) ); 947 return; 948 } 949 950 [4] p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] ); 951 [5] p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] ); 952 [6] p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] ); 953 msg_Dbg( p_demux, "Real Index: time %d file %d frame %d ", 954 p_sys->p_index[i].time_offset, 955 p_sys->p_index[i].file_offset, 956 p_sys->p_index[i].frame_index ); 957 958 } 959 } [...] [1] User supplied data from the RealMedia file gets copied into "i_index_count". [2] The value of "i_index_count" is used to calculate the size of a heap buffer. If the value of "i_index_count" is big enough (e.g. 0x15555555) an integer overflow occurs while calculating the size of the heap buffer. As a consequence it is possible to allocate a small heap buffer by supplying a big value for "i_index_count". [3] The value of "i_index_count" is used as a counter in this for() loop. [4] User controlled data from the RealMedia file gets copied into the previously allocated heap buffer (see [2]). As "i" is used as an array index and the for() loop is executed until "i