####################################################################### Luigi Auriemma Application: xine-lib http://xinehq.de Versions: <= 1.1.11 Platforms: Linux, *BSD, Solaris, Irix, MacOSX, Windows and others Bugs: A] heap-overflow in demux_flv B] heap-overflow in demux_qt C] heap-overflow in demux_real D] heap-overflow in demux_wc3movie E] heap-overflow in ebml F] heap-overflow in demux_film Exploitation: local Date: 20 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From developers website: "xine is a free (gpl-licensed) high-performance, portable and reusable multimedia playback engine. xine itself is a shared library with an easy to use, yet powerful API which is used by many applications for smooth video playback and video processing purposes." The library and parts of its source code are widely used in many open source players and projects. ####################################################################### ======= 2) Bugs ======= xine-lib is affected by various heap overflow vulnerabilities caused by the wrong 32 bit calculation of the amount of memory to allocate for some destination buffers and arrays. These bugs allow an attacker to control some registers or directly the code flow (like with demux_qt) which could leat to the execution of malicious code. For brevity will be showed directly the instructions in the source code which do these bad allocations. ----------------------------- A] heap-overflow in demux_flv ----------------------------- From src/demuxers/demux_flv.c: static int parse_flv_var(demux_flv_t *this, unsigned char *buf, int size, char *key, int keylen) { ... this->index = xine_xmalloc(num*sizeof(flv_index_entry_t)); ... this->index = xine_xmalloc(num*sizeof(flv_index_entry_t)); ---------------------------- B] heap-overflow in demux_qt ---------------------------- Practically almost any allocation instruction in src/demuxers/demux_qt.c is vulnerable to various types of heap overflows. ------------------------------ C] heap-overflow in demux_real ------------------------------ From src/demuxers/demux_real.c: static void real_parse_index(demux_real_t *this) { ... *index = xine_xmalloc(entries * sizeof(real_index_entry_t)); ---------------------------------- D] heap-overflow in demux_wc3movie ---------------------------------- From src/demuxers/demux_wc3movie.c: static int open_mve_file(demux_mve_t *this) { ... this->palettes = xine_xmalloc(this->number_of_shots * PALETTE_SIZE * sizeof(palette_entry_t)); Note that the output buffer is filled using a special lookup table. ------------------------ E] heap-overflow in ebml ------------------------ From src/demuxers/ebml.c: int ebml_check_header(ebml_parser_t *ebml) { ... char *text = malloc(elem.len + 1); ------------------------------ F] heap-overflow in demux_film ------------------------------ From src/demuxers/demux_film.c: static int open_film_file(demux_film_t *film) { ... film->sample_table = xine_xmalloc(film->sample_count * sizeof(film_sample_t)); ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/xinehof.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################