Opened 10 years ago

Last modified 9 years ago

#1476 closed defect (wontfix)

MPlayer QuickTime STSZ atom NULL Dereference DoS

Reported by: roeehay@… Owned by: r_togni@…
Priority: normal Component: demuxer
Version: HEAD Severity: critical
Keywords: Cc: compn, roeehay@…
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

A specially crafted QuickTime? file may cause MPlayer to NULL dereference.

faulty code:

libmpdemux/demux_mov.c:1811

1811 int entries = stream_read_dword(demuxer->stream);
1812 int i;
1813 mp_msg(MSGT_DEMUX, MSGL_V, "MOV: %*sSample size table! (entries=%d ss=%d)

ver:%d,flags:%d)\n", level, "",

1814 entries, ss, ver, flags);
1815 trak->samplesize = ss;
1816 if (!ss)
1817 {
1818 variable samplesize
1819 trak->samples = realloc_struct(trak->samples, entries, sizeof(mov_sample_t));

1820 trak->samples_size = entries;
1821 for (i = 0; i < trak->samples_size; i++)
1822 trak->samples[i].size = stream_read_dword(demuxer->stream);
1823 }
1824 break;

The entries DWORD is user controllable (STSZ atom sample size), this
value is then passed to the realloc call. The value returned from the realloc
call is used unsafely, since realloc returns NULL on error conditions.

A malicious QuickTime? file may cause the realloc peration to return NULL, by
specifying a very large STSZ atom Sample Size. At line 1822, this value is dereferenced, crashing mplayer.

Change History (3)

comment:1 Changed 10 years ago by roeehay@…

  • Cc roeehay@… added

comment:2 Changed 10 years ago by roeehay@…

  • op_sys changed from Other to All

comment:3 Changed 9 years ago by compn

  • Resolution set to wontfix
  • Status changed from new to closed, patriotact@gmail.com

demux_mov is dead now, as -demuxer lavf is default for mov files, closing bug.

Note: See TracTickets for help on using tickets.