Opened 15 years ago
Last modified 13 years ago
#1475 closed defect (wontfix)
MPlayer QuickTime STSD atom NULL Dereference DoS
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Component: | demuxer |
| Version: | HEAD | Severity: | critical |
| Keywords: | Cc: | compn | |
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
A specially crafted QuickTime file may cause MPlayer to NULL dereference.
faulty code:
libmpdemux/demux_mov.c:1758
trak->stdata_len = len - 8;
trak->stdata = malloc(trak->stdata_len);
stream_read(demuxer->stream, trak->stdata, trak->stdata_len);
The len DWORD is user controllable (STSD atom sample description size), this value is then passed to the malloc call. The value returned from the malloc call is used unsafely, becaus
malloc can return NULL on error conditions.
A malicious QuickTime file may cause the malloc operation to return NULL, by specifying a very large Sample Description Size.
Doing so will cause 'stream_read' (which later on calls memcpy) to NULL dereference, and crash mplayer.
Change History (2)
comment:1 by , 15 years ago
| Summary: | MPlayer QuickTime STSD header NULL Dereference DoS → MPlayer QuickTime STSD atom NULL Dereference DoS |
|---|
comment:2 by , 13 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed, patriotact@gmail.com |
demux_mov is dead now, as -demuxer lavf is default for mov files, closing bug.