AOH :: HP Unsorted T :: BT-21352.HTM

The Movie Player and VLC Media Player Real Data Transport parsing integer underflow.



The Movie Player and VLC Media Player Real Data Transport parsing integer underflow.
The Movie Player and VLC Media Player Real Data Transport parsing integer underflow.



--001636c5a34269ece6046fb26d14
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Advisory:
        The Movie Player and VLC Media Player Real Data Transport
        parsing integer underflow.

Affected products:
        The Movie player svn r29438 [1]
        VLC media player <= 1.0.0 [2]
        Possible others applications that use the xine lib code [3].

Discovred by:
        tixxDZ 
        DZCORE Labs, Algeria

Date reported:
        2009/07/25

Release Date:
        2009/07/27

Solutions:
        VLC: update to VLC media player 1.0.1 [2] [4].
        Mplayer: please see Patches section.


---------
Abstract:
---------

Mplayer
Source file:    stream/realrtsp/real.c
function:       int real_get_rdt_chunk(rtsp_t *rtsp_session,
                                       char **buffer,
                                       int rdt_rawdata)


VLC
Source file:    modules/access/rtsp/real.c
function:       int real_get_rdt_chunk_header(rtsp_client_t *rtsp_session,
                                              rmff_pheader_t *ph)


The original code is part of the xine library [3]:
Source file:    src/input/libreal/real.c
function:       int real_get_rdt_chunk(rtsp_t *rtsp_session,
                                       unsigned char **buffer)


Function real_get_rdt_chunk() calls rtsp_read_data() to read RDT
(Real Data Transport) chunks headers from the network and after that it will
parse them.
A controled variable is used to allocate a buffer and later passed on to the
rtsp_read_data() function in order to specify the length of an RDT chunk
data to read from the network.
An integer underflow can be triggered when parsing a malformed RDT header chunk,
a remote attacker can exploit it to execute arbitrary code in the context of
the application.


The xine lib [3] seems not to be vulnerable due to an additional check in the
xio_rw_abort() funcion (file: src/xine-engine/io_helper.c), which takes the
length of an RDT packet as an off_t type and performs some comparison checks
(line: 350) before reading chunks from the network.
The Movie player [1] and the VLC media player [2] are vulnerable, the length
of an RDT packet is passed as an unsigned int to their own network read
functions.


-----------
Descripton:
-----------
xine-lib source file:   src/input/libreal/real.c

int real_get_rdt_chunk(rtsp_t *rtsp_session, unsigned char **buffer) {

        int n=1;
        uint8_t header[8];
        rmff_pheader_t ph;
        int size;
        int flags1;
        int unknown1;
        uint32_t ts;

        n=rtsp_read_data(rtsp_session, header, 8);
        if (n<8) return 0;
        if (header[0] != 0x24)
        {
                lprintf("rdt chunk not recognized: got 0x%02x\n", header[0]);
                return 0;
        }
[1]     size=(header[1]<<16)+(header[2]<<8)+(header[3]);
        flags1=header[4];
        if ((flags1!=0x40)&&(flags1!=0x42))
        {
                lprintf("got flags1: 0x%02x\n",flags1);
                if (header[6]==0x06)
                {
                        lprintf("got end of stream packet\n");
                        return 0;
                }
                ...
[2]             size-=9;
        }
        unknown1=(header[5]<<16)+(header[6]<<8)+(header[7]);
        n=rtsp_read_data(rtsp_session, header, 6);
        if (n<6) return 0;
        ts=_X_BE_32(header);

        lprintf("ts: %u size: %u, flags: 0x%02x, unknown values: %u
0x%02x 0x%02x\n",
                ts, size, flags1, unknown1, header[4], header[5]);

[3]     size+=2;
        ph->object_version=0;
[4]     ph->length=size;
        ph->stream_number=(flags1>>1)&1;
        ph->timestamp=ts;
        ph->reserved=0;
        ph->flags=0;      /* TODO: determine keyframe flag and insert here? */
[5]     xine_buffer_ensure_size(*buffer, 12+size);
        rmff_dump_pheader(&ph, *buffer);
[6]     size-=12;
[7]     n=rtsp_read_data(rtsp_session, (*buffer)+12, size);

        return (n <= 0) ? 0 : n+12;
}


[1]     The signed int size variable is filled with data from the network.

[2] [3] Some arithmetics operations, we assume that at the end size == 11.

[4]     The value of the size variable is assigned to the ph->length.

[5]     The size variable is used to allocate (realloc) space for the buffer.

[6]     An integer underflow is triggered, size == 0xffffffff.

[7]     The size variable is passed to the rtsp_read_data() function as an
        unsigned integer in order to specify the length of an RDT packet.

        Mplayer:
        Mplayer is vulnerable, the rtsp_read_data() function passes the length
        to the read_stream() function (file: stream/librtsp/rtsp.c) as a size_t
        type which can lead to read a big amount of data from the network and
        cause a heap overflow.

        VLC:
        VLC is vulnerable, the real_get_rdt_chunk_header() function will read
        and parse the header, the vulnerable call to the rtsp_read_data()
        function is made by the real_get_rdt_chunk() function, the length is
        passed to the __net_Read() function (file: src/network/io.c) as a
        size_t type which can lead to read a big amount of data from the
        network and cause a heap overflow.


--------
Patches:
--------

VLC
Official patch by the VideoLAN team (Patch development time: 2 hours) [4].

Mplayer
Unofficial patch by tixxDZ

diff -Naur stream/realrtsp/real.c stream/realrtsp/real.c.new
--- stream/realrtsp/real.c      2009-07-27 01:09:18.000000000 +0100
+++ stream/realrtsp/real.c.new  2009-07-27 01:12:35.000000000 +0100
@@ -386,6 +386,7 @@
     return (n <= 0) ? 0 : n;
   }
   rmff_dump_pheader(&ph, *buffer);
+  if (size<12) return 0;
   size-=12;
   n=rtsp_read_data(rtsp_session, (*buffer)+12, size);


-----------
References:
-----------

[1] http://www.mplayerhq.hu/ 
[2] http://www.videolan.org/ 
[3] http://www.xine-project.org/ 
[4] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=dc74600c97eb834 
        c08674676e209afa842053aca


-----------
Disclaimer:
-----------

The document is provided as is without warranty of any kind. The content
may change without notice. In no event shall the author be liable for any
special, direct or indirect damages, losses or unlawful offences.
Use at your own risk.


Copyright (c) 2009 tix tixxDZ, DZCORE Labs. All rights reserved.



-- 
tix or tixxDZ

--001636c5a34269ece6046fb26d14
Content-Type: text/plain; charset=US-ASCII; name="dzcore-2009-001-advisory.txt"
Content-Disposition: attachment; filename="dzcore-2009-001-advisory.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: file0

QWR2aXNvcnk6CglUaGUgTW92aWUgUGxheWVyIGFuZCBWTEMgTWVkaWEgUGxheWVyIFJlYWwgRGF0
YSBUcmFuc3BvcnQKCXBhcnNpbmcgaW50ZWdlciB1bmRlcmZsb3cuCgpBZmZlY3RlZCBwcm9kdWN0
czoKCVRoZSBNb3ZpZSBwbGF5ZXIgc3ZuIHIyOTQzOCBbMV0gCglWTEMgbWVkaWEgcGxheWVyIDw9
IDEuMC4wIFsyXQoJUG9zc2libGUgb3RoZXJzIGFwcGxpY2F0aW9ucyB0aGF0IHVzZSB0aGUgeGlu
ZSBsaWIgY29kZSBbM10uCgpEaXNjb3ZyZWQgYnk6Cgl0aXh4RFogPHRpeHhkeiBhdCBnbWFpbCBk
b3QgY29tPgoJRFpDT1JFIExhYnMsIEFsZ2VyaWEKCkRhdGUgcmVwb3J0ZWQ6CgkyMDA5LzA3LzI1
CgpSZWxlYXNlIERhdGU6CgkyMDA5LzA3LzI3CgpTb2x1dGlvbnM6CQkJCglWTEM6IHVwZGF0ZSB0
byBWTEMgbWVkaWEgcGxheWVyIDEuMC4xIFsyXSBbNF0uCglNcGxheWVyOiBwbGVhc2Ugc2VlIFBh
dGNoZXMgc2VjdGlvbi4KCgotLS0tLS0tLS0KQWJzdHJhY3Q6Ci0tLS0tLS0tLQoKTXBsYXllcgpT
b3VyY2UgZmlsZToJc3RyZWFtL3JlYWxydHNwL3JlYWwuYwpmdW5jdGlvbjoJaW50IHJlYWxfZ2V0
X3JkdF9jaHVuayhydHNwX3QgKnJ0c3Bfc2Vzc2lvbiwKCQkJCSAgICAgICBjaGFyICoqYnVmZmVy
LAoJCQkJICAgICAgIGludCByZHRfcmF3ZGF0YSkJCgoKVkxDClNvdXJjZSBmaWxlOgltb2R1bGVz
L2FjY2Vzcy9ydHNwL3JlYWwuYwpmdW5jdGlvbjoJaW50IHJlYWxfZ2V0X3JkdF9jaHVua19oZWFk
ZXIocnRzcF9jbGllbnRfdCAqcnRzcF9zZXNzaW9uLAoJCQkJCSAgICAgIHJtZmZfcGhlYWRlcl90
ICpwaCkKCgpUaGUgb3JpZ2luYWwgY29kZSBpcyBwYXJ0IG9mIHRoZSB4aW5lIGxpYnJhcnkgWzNd
OgpTb3VyY2UgZmlsZToJc3JjL2lucHV0L2xpYnJlYWwvcmVhbC5jCmZ1bmN0aW9uOglpbnQgcmVh
bF9nZXRfcmR0X2NodW5rKHJ0c3BfdCAqcnRzcF9zZXNzaW9uLAoJCQkJICAgICAgIHVuc2lnbmVk
IGNoYXIgKipidWZmZXIpCgoKRnVuY3Rpb24gcmVhbF9nZXRfcmR0X2NodW5rKCkgY2FsbHMgcnRz
cF9yZWFkX2RhdGEoKSB0byByZWFkIFJEVAooUmVhbCBEYXRhIFRyYW5zcG9ydCkgY2h1bmtzIGhl
YWRlcnMgZnJvbSB0aGUgbmV0d29yayBhbmQgYWZ0ZXIgdGhhdCBpdCB3aWxsCnBhcnNlIHRoZW0u
CkEgY29udHJvbGVkIHZhcmlhYmxlIGlzIHVzZWQgdG8gYWxsb2NhdGUgYSBidWZmZXIgYW5kIGxh
dGVyIHBhc3NlZCBvbiB0byB0aGUKcnRzcF9yZWFkX2RhdGEoKSBmdW5jdGlvbiBpbiBvcmRlciB0
byBzcGVjaWZ5IHRoZSBsZW5ndGggb2YgYW4gUkRUIGNodW5rCmRhdGEgdG8gcmVhZCBmcm9tIHRo
ZSBuZXR3b3JrLgpBbiBpbnRlZ2VyIHVuZGVyZmxvdyBjYW4gYmUgdHJpZ2dlcmVkIHdoZW4gcGFy
c2luZyBhIG1hbGZvcm1lZCBSRFQgaGVhZGVyIGNodW5rLAphIHJlbW90ZSBhdHRhY2tlciBjYW4g
ZXhwbG9pdCBpdCB0byBleGVjdXRlIGFyYml0cmFyeSBjb2RlIGluIHRoZSBjb250ZXh0IG9mCnRo
ZSBhcHBsaWNhdGlvbi4KCgpUaGUgeGluZSBsaWIgWzNdIHNlZW1zIG5vdCB0byBiZSB2dWxuZXJh
YmxlIGR1ZSB0byBhbiBhZGRpdGlvbmFsIGNoZWNrIGluIHRoZQp4aW9fcndfYWJvcnQoKSBmdW5j
aW9uIChmaWxlOiBzcmMveGluZS1lbmdpbmUvaW9faGVscGVyLmMpLCB3aGljaCB0YWtlcyB0aGUK
bGVuZ3RoIG9mIGFuIFJEVCBwYWNrZXQgYXMgYW4gb2ZmX3QgdHlwZSBhbmQgcGVyZm9ybXMgc29t
ZSBjb21wYXJpc29uIGNoZWNrcwoobGluZTogMzUwKSBiZWZvcmUgcmVhZGluZyBjaHVua3MgZnJv
bSB0aGUgbmV0d29yay4KVGhlIE1vdmllIHBsYXllciBbMV0gYW5kIHRoZSBWTEMgbWVkaWEgcGxh
eWVyIFsyXSBhcmUgdnVsbmVyYWJsZSwgdGhlIGxlbmd0aApvZiBhbiBSRFQgcGFja2V0IGlzIHBh
c3NlZCBhcyBhbiB1bnNpZ25lZCBpbnQgdG8gdGhlaXIgb3duIG5ldHdvcmsgcmVhZApmdW5jdGlv
bnMuIAoKCi0tLS0tLS0tLS0tCkRlc2NyaXB0b246Ci0tLS0tLS0tLS0tCnhpbmUtbGliIHNvdXJj
ZSBmaWxlOglzcmMvaW5wdXQvbGlicmVhbC9yZWFsLmMKCmludCByZWFsX2dldF9yZHRfY2h1bmso
cnRzcF90ICpydHNwX3Nlc3Npb24sIHVuc2lnbmVkIGNoYXIgKipidWZmZXIpIHsKCglpbnQgbj0x
OwoJdWludDhfdCBoZWFkZXJbOF07CglybWZmX3BoZWFkZXJfdCBwaDsKCWludCBzaXplOwoJaW50
IGZsYWdzMTsKCWludCB1bmtub3duMTsKCXVpbnQzMl90IHRzOwoKCW49cnRzcF9yZWFkX2RhdGEo
cnRzcF9zZXNzaW9uLCBoZWFkZXIsIDgpOwoJaWYgKG48OCkgcmV0dXJuIDA7CglpZiAoaGVhZGVy
WzBdICE9IDB4MjQpCgl7CgkJbHByaW50ZigicmR0IGNodW5rIG5vdCByZWNvZ25pemVkOiBnb3Qg
MHglMDJ4XG4iLCBoZWFkZXJbMF0pOwoJCXJldHVybiAwOwoJfQpbMV0Jc2l6ZT0oaGVhZGVyWzFd
PDwxNikrKGhlYWRlclsyXTw8OCkrKGhlYWRlclszXSk7CglmbGFnczE9aGVhZGVyWzRdOwoJaWYg
KChmbGFnczEhPTB4NDApJiYoZmxhZ3MxIT0weDQyKSkKCXsKCQlscHJpbnRmKCJnb3QgZmxhZ3Mx
OiAweCUwMnhcbiIsZmxhZ3MxKTsKCQlpZiAoaGVhZGVyWzZdPT0weDA2KQoJCXsKCQkJbHByaW50
ZigiZ290IGVuZCBvZiBzdHJlYW0gcGFja2V0XG4iKTsKCQkJcmV0dXJuIDA7CgkJfQoJCS4uLgpb
Ml0JCXNpemUtPTk7Cgl9Cgl1bmtub3duMT0oaGVhZGVyWzVdPDwxNikrKGhlYWRlcls2XTw8OCkr
KGhlYWRlcls3XSk7CgluPXJ0c3BfcmVhZF9kYXRhKHJ0c3Bfc2Vzc2lvbiwgaGVhZGVyLCA2KTsK
CWlmIChuPDYpIHJldHVybiAwOwoJdHM9X1hfQkVfMzIoaGVhZGVyKTsKCglscHJpbnRmKCJ0czog
JXUgc2l6ZTogJXUsIGZsYWdzOiAweCUwMngsIHVua25vd24gdmFsdWVzOiAldSAweCUwMnggMHgl
MDJ4XG4iLAoJCXRzLCBzaXplLCBmbGFnczEsIHVua25vd24xLCBoZWFkZXJbNF0sIGhlYWRlcls1
XSk7CgpbM10Jc2l6ZSs9MjsKCXBoLT5vYmplY3RfdmVyc2lvbj0wOwpbNF0JcGgtPmxlbmd0aD1z
aXplOwoJcGgtPnN0cmVhbV9udW1iZXI9KGZsYWdzMT4+MSkmMTsKCXBoLT50aW1lc3RhbXA9dHM7
CglwaC0+cmVzZXJ2ZWQ9MDsKCXBoLT5mbGFncz0wOyAgICAgIC8qIFRPRE86IGRldGVybWluZSBr
ZXlmcmFtZSBmbGFnIGFuZCBpbnNlcnQgaGVyZT8gKi8KWzVdCXhpbmVfYnVmZmVyX2Vuc3VyZV9z
aXplKCpidWZmZXIsIDEyK3NpemUpOwoJcm1mZl9kdW1wX3BoZWFkZXIoJnBoLCAqYnVmZmVyKTsK
WzZdCXNpemUtPTEyOwpbN10Jbj1ydHNwX3JlYWRfZGF0YShydHNwX3Nlc3Npb24sICgqYnVmZmVy
KSsxMiwgc2l6ZSk7CgoJcmV0dXJuIChuIDw9IDApID8gMCA6IG4rMTI7Cn0KCgpbMV0JVGhlIHNp
Z25lZCBpbnQgc2l6ZSB2YXJpYWJsZSBpcyBmaWxsZWQgd2l0aCBkYXRhIGZyb20gdGhlIG5ldHdv
cmsuCgpbMl0gWzNdCVNvbWUgYXJpdGhtZXRpY3Mgb3BlcmF0aW9ucywgd2UgYXNzdW1lIHRoYXQg
YXQgdGhlIGVuZCBzaXplID09IDExLgoKWzRdCVRoZSB2YWx1ZSBvZiB0aGUgc2l6ZSB2YXJpYWJs
ZSBpcyBhc3NpZ25lZCB0byB0aGUgcGgtPmxlbmd0aC4KCls1XQlUaGUgc2l6ZSB2YXJpYWJsZSBp
cyB1c2VkIHRvIGFsbG9jYXRlIChyZWFsbG9jKSBzcGFjZSBmb3IgdGhlIGJ1ZmZlci4KCls2XQlB
biBpbnRlZ2VyIHVuZGVyZmxvdyBpcyB0cmlnZ2VyZWQsIHNpemUgPT0gMHhmZmZmZmZmZi4KCls3
XQlUaGUgc2l6ZSB2YXJpYWJsZSBpcyBwYXNzZWQgdG8gdGhlIHJ0c3BfcmVhZF9kYXRhKCkgZnVu
Y3Rpb24gYXMgYW4KCXVuc2lnbmVkIGludGVnZXIgaW4gb3JkZXIgdG8gc3BlY2lmeSB0aGUgbGVu
Z3RoIG9mIGFuIFJEVCBwYWNrZXQuCgoJTXBsYXllcjoKCU1wbGF5ZXIgaXMgdnVsbmVyYWJsZSwg
dGhlIHJ0c3BfcmVhZF9kYXRhKCkgZnVuY3Rpb24gcGFzc2VzIHRoZSBsZW5ndGgKCXRvIHRoZSBy
ZWFkX3N0cmVhbSgpIGZ1bmN0aW9uIChmaWxlOiBzdHJlYW0vbGlicnRzcC9ydHNwLmMpIGFzIGEg
c2l6ZV90Cgl0eXBlIHdoaWNoIGNhbiBsZWFkIHRvIHJlYWQgYSBiaWcgYW1vdW50IG9mIGRhdGEg
ZnJvbSB0aGUgbmV0d29yayBhbmQKCWNhdXNlIGEgaGVhcCBvdmVyZmxvdy4gCgoJVkxDOgoJVkxD
IGlzIHZ1bG5lcmFibGUsIHRoZSByZWFsX2dldF9yZHRfY2h1bmtfaGVhZGVyKCkgZnVuY3Rpb24g
d2lsbCByZWFkCglhbmQgcGFyc2UgdGhlIGhlYWRlciwgdGhlIHZ1bG5lcmFibGUgY2FsbCB0byB0
aGUgcnRzcF9yZWFkX2RhdGEoKQoJZnVuY3Rpb24gaXMgbWFkZSBieSB0aGUgcmVhbF9nZXRfcmR0
X2NodW5rKCkgZnVuY3Rpb24sIHRoZSBsZW5ndGggaXMKCXBhc3NlZCB0byB0aGUgX19uZXRfUmVh
ZCgpIGZ1bmN0aW9uIChmaWxlOiBzcmMvbmV0d29yay9pby5jKSBhcyBhCglzaXplX3QgdHlwZSB3
aGljaCBjYW4gbGVhZCB0byByZWFkIGEgYmlnIGFtb3VudCBvZiBkYXRhIGZyb20gdGhlCgluZXR3
b3JrIGFuZCBjYXVzZSBhIGhlYXAgb3ZlcmZsb3cuCgoKLS0tLS0tLS0KUGF0Y2hlczoKLS0tLS0t
LS0KClZMQwpPZmZpY2lhbCBwYXRjaCBieSB0aGUgVmlkZW9MQU4gdGVhbSAoUGF0Y2ggZGV2ZWxv
cG1lbnQgdGltZTogMiBob3VycykgWzRdLgoKCk1wbGF5ZXIKVW5vZmZpY2lhbCBwYXRjaCBieSB0
aXh4RFoKCmRpZmYgLU5hdXIgc3RyZWFtL3JlYWxydHNwL3JlYWwuYyBzdHJlYW0vcmVhbHJ0c3Av
cmVhbC5jLm5ldwotLS0gc3RyZWFtL3JlYWxydHNwL3JlYWwuYyAgICAgIDIwMDktMDctMjcgMDE6
MDk6MTguMDAwMDAwMDAwICswMTAwCisrKyBzdHJlYW0vcmVhbHJ0c3AvcmVhbC5jLm5ldyAgMjAw
OS0wNy0yNyAwMToxMjozNS4wMDAwMDAwMDAgKzAxMDAKQEAgLTM4Niw2ICszODYsNyBAQAogICAg
IHJldHVybiAobiA8PSAwKSA/IDAgOiBuOwogICB9CiAgIHJtZmZfZHVtcF9waGVhZGVyKCZwaCwg
KmJ1ZmZlcik7CisgIGlmIChzaXplPDEyKSByZXR1cm4gMDsKICAgc2l6ZS09MTI7CiAgIG49cnRz
cF9yZWFkX2RhdGEocnRzcF9zZXNzaW9uLCAoKmJ1ZmZlcikrMTIsIHNpemUpOwoKCi0tLS0tLS0t
LS0tClJlZmVyZW5jZXM6Ci0tLS0tLS0tLS0tCgpbMV0JaHR0cDovL3d3dy5tcGxheWVyaHEuaHUv
ClsyXQlodHRwOi8vd3d3LnZpZGVvbGFuLm9yZy8KWzNdCWh0dHA6Ly93d3cueGluZS1wcm9qZWN0
Lm9yZy8KWzRdCWh0dHA6Ly9naXQudmlkZW9sYW4ub3JnLz9wPXZsYy5naXQ7YT1jb21taXRkaWZm
O2g9ZGM3NDYwMGM5N2ViODM0CgljMDg2NzQ2NzZlMjA5YWZhODQyMDUzYWNhCgoKLS0tLS0tLS0t
LS0KRGlzY2xhaW1lcjoKLS0tLS0tLS0tLS0KClRoZSBkb2N1bWVudCBpcyBwcm92aWRlZCBhcyBp
cyB3aXRob3V0IHdhcnJhbnR5IG9mIGFueSBraW5kLiBUaGUgY29udGVudAptYXkgY2hhbmdlIHdp
dGhvdXQgbm90aWNlLiBJbiBubyBldmVudCBzaGFsbCB0aGUgYXV0aG9yIGJlIGxpYWJsZSBmb3Ig
YW55CnNwZWNpYWwsIGRpcmVjdCBvciBpbmRpcmVjdCBkYW1hZ2VzLCBsb3NzZXMgb3IgdW5sYXdm
dWwgb2ZmZW5jZXMuClVzZSBhdCB5b3VyIG93biByaXNrLgoKCkNvcHlyaWdodCAoYykgMjAwOSB0
aXggdGl4eERaLCBEWkNPUkUgTGFicy4gQWxsIHJpZ2h0cyByZXNlcnZlZC4K
--001636c5a34269ece6046fb26d14--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.