AOH :: HP Unsorted V :: VA1952.HTM

VLC media player RealMedia Processing Integer Overflow Vulnerability

VLC media player RealMedia Processing Integer Overflow Vulnerability
VLC media player RealMedia Processing Integer Overflow Vulnerability

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at: 

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

Hash: SHA1

Advisory:               VLC media player RealMedia Processing Integer 
                        Overflow Vulnerability
Advisory ID:            TKADV2008-013
Revision:               1.0              
Release Date:           2008/11/30
Last Modified:          2008/11/30 
Date Reported:          2008/11/14
Author:                 Tobias Klein (tk at
Affected Software:      VLC media player < 0.9.7
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL: 
Vendor Status:          Vendor has released an updated version
CVE-ID:                 CVE-2008-5276
Patch development time: 16 days

=====================Vulnerability Details: 
The VLC media player contains an integer overflow vulnerability while 
parsing malformed RealMedia (.rm) files. The vulnerability leads to a heap 
overflow that can be exploited by a (remote) attacker to execute arbitrary 
code in the context of VLC media player.

=================Technical Details:
Source code file: modules\demux\real.c

891 static void ReadRealIndex( demux_t *p_demux )
892 {
900      uint32_t      i_index_count;
920 [1]  i_index_count = GetDWBE( &buffer[10] );
931 [2]  p_sys->p_index = 
932            (rm_index_t *)malloc( sizeof( rm_index_t ) * 
                                     (i_index_count+1) );
933      if( p_sys->p_index == NULL )
934          return;
936      memset(p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1));
938 [3]  for( i=0; is, buffer, 14 ) < 14 )
941             return ;
943 [7]     if( GetWBE( &buffer[0] ) != 0 )
944         {
945            msg_Dbg( p_demux, "Real Index: invaild version of index 
                                  entry %d ",
946                               GetWBE( &buffer[0] ) );
947            return;
948         }
950 [4]     p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] );
951 [5]     p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] );
952 [6]     p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] );
953         msg_Dbg( p_demux, "Real Index: time %d file %d frame %d ",
954                        p_sys->p_index[i].time_offset,
955                        p_sys->p_index[i].file_offset,
956                        p_sys->p_index[i].frame_index );
958      }
959 }

[1] User supplied data from the RealMedia file gets copied into 
[2] The value of "i_index_count" is used to calculate the size of a heap 
    buffer. If the value of "i_index_count" is big enough (e.g. 0x15555555)
    an integer overflow occurs while calculating the size of the heap 
    buffer. As a consequence it is possible to allocate a small heap buffer
    by supplying a big value for "i_index_count".
[3] The value of "i_index_count" is used as a counter in this for() loop. 
[4] User controlled data from the RealMedia file gets copied into the 
    previously allocated heap buffer (see [2]). As "i" is used as an array 
    index and the for() loop is executed until "i 

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

PGP Signature Key: 

Copyright 2008 Tobias Klein. All rights reserved.

Version: GnuPG



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to