Opened 11 years ago

Last modified 9 years ago

#1475 closed defect (wontfix)

MPlayer QuickTime STSD atom NULL Dereference DoS

Reported by: roeehay@… Owned by: r_togni@…
Priority: normal Component: demuxer
Version: HEAD Severity: critical
Keywords: Cc: compn
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

A specially crafted QuickTime? file may cause MPlayer to NULL dereference.

faulty code:

libmpdemux/demux_mov.c:1758

trak->stdata_len = len - 8;
trak->stdata = malloc(trak->stdata_len);
stream_read(demuxer->stream, trak->stdata, trak->stdata_len);

The len DWORD is user controllable (STSD atom sample description size), this value is then passed to the malloc call. The value returned from the malloc call is used unsafely, becaus
malloc can return NULL on error conditions.

A malicious QuickTime? file may cause the malloc operation to return NULL, by specifying a very large Sample Description Size.
Doing so will cause 'stream_read' (which later on calls memcpy) to NULL dereference, and crash mplayer.

Change History (2)

comment:1 Changed 11 years ago by roeehay@…

  • Summary changed from MPlayer QuickTime STSD header NULL Dereference DoS to MPlayer QuickTime STSD atom NULL Dereference DoS

comment:2 Changed 9 years ago by compn

  • Resolution set to wontfix
  • Status changed from new to closed, patriotact@gmail.com

demux_mov is dead now, as -demuxer lavf is default for mov files, closing bug.

Note: See TracTickets for help on using tickets.