Memory corruption in RealMedia parsing
Bug #690173 reported by
Dan Rosenberg
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
VLC media player |
Fix Released
|
Critical
|
Rémi Denis-Courmont | ||
vlc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lucid |
Fix Released
|
Undecided
|
Unassigned | ||
Maverick |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: vlc
I've attached a fuzzed RealMedia file that crashes VLC. The crash appears to be caused by invoking a function pointer from an uninitialized object. By pre-initializing the heap memory corresponding to this object, it may be possible to control program flow and subsequently execute arbitrary code. The program crashes on line 551 of modules/
if( tk->p_frame )
where block_Release invokes a function pointer of the uninitialized p_frame. I've confirmed this issue in Lucid (VLC 1.0.6) and upstream (1.1.5).
CVE References
Changed in vlc: | |
milestone: | none → 1.1.6 |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → Rémi Denis-Courmont (rdenis) |
tags: | added: patch |
Changed in vlc: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
Please use CVE-2010-3907 for this issue.