Specially crafted wav file causing a buffer overflow in vlc
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vlc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Hi,
We found a buffer overflow in the parsing and processing of wav files in VLC (version 2.1.6-0). It was tested in Ubuntu 14.04 (x86_64), but it will probably affects other versions as well. Find attached a test case to reproduce it. Here you can see the gdb stack trace:
__memcpy_
116 ../sysdeps/
(gdb) bt
#0 __memcpy_
#1 0x00007ffff71436e9 in memcpy (__len=4290773038, __src=<optimized out>, __dest=<optimized out>) at /usr/include/
#2 AStreamPeekStream (s=<optimized out>, pp_peek=
#3 0x00007fffdebb42b3 in ChunkFind (p_demux=
at wav.c:522
#4 0x00007fffdebb4761 in Open (p_this=
#5 0x00007ffff716d178 in module_load (obj=obj@
args=
#6 0x00007ffff716d72e in vlc_module_load (obj=obj@
name@
#7 0x00007ffff716dc04 in module_need (obj=obj@
strict=
#8 0x00007ffff712cfbe in demux_New (p_obj=
psz_
at input/demux.c:188
#9 0x00007ffff7139d5d in InputSourceInit (p_input=
psz_
#10 0x00007ffff713ab6b in Init (p_input=
#11 0x00007ffff713e0e6 in Run (obj=0x7fffd000
#12 0x00007ffff79a9182 in start_thread (arg=0x7fffea82
#13 0x00007ffff74d247d in clone () at ../sysdeps/
It is evident that the memcpy operation has an abnormally large size parameter (4290773038). It shouldn't be difficult to exploit this bug to obtain arbitrary memory execution overwriting some function pointer.
Regards,
Gustavo.
Changed in vlc (Ubuntu): | |
status: | New → Confirmed |
information type: | Private Security → Public Security |
Thanks for discovering this.
Please notify the upstream vlc developers, and link the bug you've reported with this one.
Thanks!