|
Brought to you by:
Suppliers of:
|
|
|
| |
| Xine-lib contains an integer overflow vulnerability while parsing malformed STTS atoms of Quicktime movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of an application using the xine library. |
| |
Credit:
The information has been provided by Tobias Klein.
The original article can be found at: http://www.trapkit.de/advisories/TKADV2009-005.txt
|
| |
Vulnerable Systems:
* xine-lib versions prior to 1.1.16.2
Immune Systems:
* xine-lib version 1.1.16.3
Technical Details:
Source code file: xine-lib-1.1.16.2/src/demuxers/demux_qt.c:
[...]
840 static qt_error parse_trak_atom (qt_trak *trak,
841 unsigned char *trak_atom) {
...
1535 } else if (current_atom == STTS_ATOM) {
1536
1537 /* there should only be one of these atoms */
1538 if (trak->time_to_sample_table) {
1539 last_error = QT_HEADER_TROUBLE;
1540 goto free_trak;
1541 }
1542
1543 [1] trak->time_to_sample_count = _X_BE_32(&trak_atom[i + 8]);
1544
1545 debug_atom_load(" qt stts atom (time-to-sample atom): %d
entries\n",
1546 trak->time_to_sample_count);
1547
1548 [2] trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
1549 trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));
1550 if (!trak->time_to_sample_table) {
1551 last_error = QT_NO_MEMORY;
1552 goto free_trak;
1553 }
1554
1555 /* load the time to sample table */
1556 [3] for (j = 0; j < trak->time_to_sample_count; j++) {
1557 [4] trak->time_to_sample_table[j].count =
1558 _X_BE_32(&trak_atom[i + 12 + j * 8 + 0]);
1559 [5] trak->time_to_sample_table[j].duration =
1560 _X_BE_32(&trak_atom[i + 12 + j * 8 + 4]);
1561 debug_atom_load(" %d: count = %d, duration = %d\n",
1562 j, trak->time_to_sample_table[j].count,
1563 trak->time_to_sample_table[j].duration);
1564 }
1565 trak->time_to_sample_table[j].count = 0; /* terminate with zero*/
1566 }
1567 }
[...]
[1] The unsigned int variable "trak->time_to_sample_count" is filled with user supplied data from the media file.
[2] In the lines 1548 and 1549 an integer overflow happens as the first argument to calloc() is calculated with the addition "trak->time_to_sample_count+1". A user supplied "trak->time_to_sample_count" of UINT_MAX (0xffffffff) will cause an integer overflow within the first parameter of calloc() and therefore only allocate a 0 byte buffer. Please notice that calloc(0, sizeof(time_to_sample_table_t)) will not return a NULL pointer but a pointer into the legal heap on at least platforms like Windows and Linux.
[3] The value of "trak->time_to_sample_count" is used as a counter in this for() loop.
[4] User controlled data from the quicktime movie file gets copied into thepreviously allocated heap buffer (see [2]). As "j" is used as an array index and the for() loop is executed until "j < trak->time_to_sample_count" it is possible to overflow the heap buffer with user controlled data from the quicktime movie file.
[5] Same as [4]
Solution:
Upgrade to xine-lib version 1.1.16.3 or newer.
Disclosure Timeline:
2009/03/05 - xine-lib maintainers notified (bugs.xine-project.org)
2009/04/03 - Public disclosure of vulnerability details by xine-lib maintainers
2009/04/04 - Release date of this security advisory
References:
[1] http://www.xine-project.org/
[2] http://bugs.xine-project.org/show_bug.cgi?id=224
[3] http://www.trapkit.de/advisories/TKADV2009-005.txt
|
|
|
|
|
