AOH :: HP Unsorted X :: B06-1954.HTM

Xine format string bugs when handling non existen file



XINE format string bugs when handling non existen file
XINE format string bugs when handling non existen file



Author : KaDaL-X=0D
email : king_purba@yahoo.co.uk=0D 
website : http://kandangjamur.net=0D 
=0D
Software tested =0D
Version : 0.99.4=0D
Vendor : http://xine.sourceforge.net=0D 
=0D
Proof Of Concept :=0D
Type in your unix console something like this :=0D
=0D
kandangjamur$xine %p-%p.mp3=0D
=0D
Then, there are two error alert box causing by this command :=0D
1. There is no input pluggin available to handle=0D
2. The specified file or mrl Plese check it twice (0x811ac8e-0xbe1fdabc.mp3) <-- format string error=0D
=0D
Vulnerable code :=0D
=0D
In src/xitk/main.c=0D
=0D
/* (file name or mrl) */=0D
      case XINE_MSG_FILE_NOT_FOUND:=0D
        snprintf(buffer, sizeof(buffer), "%s", _("The specified file or mrl is not found. Please check it twic=0D
e."));=0D
        if(data->explanation)=0D
          sprintf(buffer, "%s (%s)", buffer, (char *) data + data->parameters);=0D
        break;=0D
=0D
The vulnerable variable is (char *) data + data->parameters, but i don't analyze this code to make clear=0D
this problem (sorry). By giving comment in sprintf() function can be used to fix this issue,=0D
but many format string issue may be happen on file main.c causing by (char *) data + data->parameters=0D

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.