AOH :: HP Unsorted V :: VA1768.HTM

VLC media player cue Processing Stack Overflow Vulnerability

VLC media player cue Processing Stack Overflow Vulnerability
VLC media player cue Processing Stack Overflow Vulnerability

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at: 

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

Hash: SHA1

Advisory:               VLC media player cue Processing Stack Overflow 
Advisory ID:            TKADV2008-012
Revision:               1.0              
Release Date:           2008/11/05 
Last Modified:          2008/11/05 
Date Reported:          2008/11/03
Author:                 Tobias Klein (tk at
Affected Software:      VLC media player < 0.9.6
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL: 
Vendor Status:          Vendor has released an updated version
Patch development time: 2 days

=====================Vulnerability details: 
The VLC media player contains a stack overflow vulnerability while parsing
malformed cue files. The vulnerability may be exploited by a (remote) 
attacker to execute arbitrary code in the context of VLC media player.

=================Technical Details:
Source code file: modules\access\vcd\cdrom.c

913 /* Try to parse the i_tracks and p_sectors info so we can just forget
914  * about the cuefile */
915 if( i_ret == 0 )
916 {
917 [1] int p_sectors[100];
918     int i_tracks = 0;
919     int i_num;
920     char psz_dummy[10];
922 [2] while( fgets( line, 1024, cuefile ) )
923     {
924       /* look for a TRACK line */
925       if( !sscanf( line, "%9s", psz_dummy ) ||
926           strcmp(psz_dummy, "TRACK") )
927           continue;
929       /* look for an INDEX line */
930 [3]   while( fgets( line, 1024, cuefile ) )
931       {
932          int i_min, i_sec, i_frame;
934 [4]      if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
935                  &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
936             continue;
938 [5]      i_tracks++;
939 [6]      p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
940          msg_Dbg( p_this, "vcd track %i begins at sector:%i",
941                   i_tracks - 1, p_sectors[i_tracks - 1] );
942          break;
943       }
944     }

[1] This stack buffer can be overflowed
[2] + [3] User controlled data from the cue file is stored in "line".
[4] The user controlled file data is parsed and copied into "i_min", 
    "i_sec" and "i_frame"
[5] The "i_tracks" counter gets incremented
[6] The user controlled data from "i_min", "i_sec" and "i_frame" is copied 
    into the stack buffer "p_sectors" while "i_tracks" is used as an array 
    index. As "i_tracks" has no upper limit it is possible to overflow the 
    "p_sectors" stack buffer by specifying a large number of tracks in the 
    cue file.

As the data that gets written beyond the stack buffer (a combination of 
"i_min", "i_sec" and "i_frame") can only be controlled to some extend (see 
the "MSF_TO_LBA" macro) exploitation of this vulnerability is not trivial 
and may even be impossible.

  See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].

  2008/11/03 - Vendor notified
  2008/11/04 - Patch developed by VideoLAN team  
  2008/11/05 - Public disclosure of vulnerability details by the vendor
  2008/11/05 - Release date of this security advisory

  Vulnerability found and advisory written by Tobias Klein.


  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

PGP Signature Key: 

Copyright 2008 Tobias Klein. All rights reserved.

Version: GnuPG



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to