VLC media player RealText Processing Stack Overflow
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| vlc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Hardy |
Won't Fix
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: vlc
http://
Includes: hardy, Intrepid, jaunty
Advisory: VLC media player RealText Processing Stack Overflow Vulnerability
Advisory ID: TKADV2008-011
Revision: 1.0
Release Date: 2008/11/05
Last Modified: 2008/11/05
Date Reported: 2008/11/03
Author: Tobias Klein (tk at trapkit.de)
Affected Software: VLC media player < 0.9.6
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://
Vendor Status: Vendor has released an updated version
Patch development time: 2 days
=======
Vulnerability details:
=======
The VLC media player contains a stack overflow vulnerability while parsing
malformed RealText (rt) subtitle files. The vulnerability can be trivially
exploited by a (remote) attacker to execute arbitrary code in the context
of VLC media player.
VLC handles subtitles automatically. It just checks the presence of a
subtitle file with the same name of the loaded video. If such a subtitle
file is found, VLC loads and parses the file.
==================
Technical Details:
==================
Source code file: modules\
[...]
1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle,
1844 {
1845 VLC_UNUSED( i_idx );
1846 demux_sys_t *p_sys = p_demux->p_sys;
1847 text_t *txt = &p_sys->txt;
1848 char *psz_text = NULL;
1849 [1] char psz_end[12]= "", psz_begin[12] = "";
1850
1851 for( ;; )
1852 {
1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0;
1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0;
1855 const char *s = TextGetLine( txt );
1856 free( psz_text );
1857
1858 if( !s )
1859 return VLC_EGENERIC;
1860
1861 psz_text = malloc( strlen( s ) + 1 );
1862 if( !psz_text )
1863 return VLC_ENOMEM;
1864
1865 /* Find the good begining. This removes extra spaces at the
1866 beginning of the line.*/
1867 char *psz_temp = strcasestr( s, "<time");
1868 if( psz_temp != NULL )
1869 {
1870 /* Line has begin and end */
1871 [2] if( ( sscanf( psz_temp,
1872 "<%*[t|T]ime %*[b|B]
1873 psz_begin, psz_end, psz_text) != 3 ) &&
1874 /* Line has begin and no end */
1875 [3] ( sscanf( psz_temp,
1876 "<%*[t|T]ime
1877 psz_begin, psz_text ) != 2) )
1878 /* Line is not recognized */
1879 {
1880 continue;
1881 }
[...]
[1] The stack buffers "psz_end" and "psz_begin" can be overflowed
[2] The sscanf() function reads its input from a user controlled character
string pointed to by "psz_temp". The user controlled data gets stored
in the stack buffers "psz_end" and "psz_begin" without any bounds
checking. This leads to a straight stack overflow that can be trivially
exploited by a (remote) attacker to execute arbitrary code in the
context of VLC.
[3] see [2]
=========
Solution:
=========
See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].
========
History:
========
2008/11/03 - Vendor notified
2008/11/04 - Patch developed by VideoLAN team
2008/11/05 - Public disclosure of vulnerability details by the vendor
2008/11/05 - Release date of this security advisory
========
Credits:
========
Vulnerability found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://
[2] http://
1125701a2e
[3] http://
| Kees Cook (kees) wrote | #1 |
| Changed in vlc (Ubuntu): | |
| status: | New → Confirmed |
| Nicola Ferralis (feranick) wrote | #2 |
| rusivi2 (rusivi2-deactivatedaccount) wrote | #3 |
| Changed in vlc (Ubuntu): | |
| status: | Confirmed → Incomplete |
| Nicola Ferralis (feranick) wrote | #4 |
| Benjamin Drung (bdrung) wrote | #5 |
| Changed in vlc (Ubuntu Hardy): | |
| status: | New → Triaged |
| Changed in vlc (Ubuntu): | |
| status: | Incomplete → Fix Released |
| Jamie Strandboge (jdstrand) wrote | #6 |
| Changed in vlc (Ubuntu Hardy): | |
| status: | Triaged → Won't Fix |
From duplicate: http://