MPlayer QuickTime STSZ atom NULL Dereference DoS

[roeehay@…]

A specially crafted QuickTime file may cause MPlayer to NULL dereference.

faulty code:

libmpdemux/demux_mov.c:1811

1811 int entries = stream_read_dword(demuxer->stream);
1812 int i;
1813 mp_msg(MSGT_DEMUX, MSGL_V, "MOV: %*sSample size table! (entries=%d ss=%d)

ver:%d,flags:%d)\n", level, "",

1814 entries, ss, ver, flags);
1815 trak->samplesize = ss;
1816 if (!ss)
1817 {
1818 variable samplesize
1819 trak->samples = realloc_struct(trak->samples, entries, sizeof(mov_sample_t));

1820 trak->samples_size = entries;
1821 for (i = 0; i < trak->samples_size; i++)
1822 trak->samples[i].size = stream_read_dword(demuxer->stream);
1823 }
1824 break;

The entries DWORD is user controllable (STSZ atom sample size), this
value is then passed to the realloc call. The value returned from the realloc
call is used unsafely, since realloc returns NULL on error conditions.

A malicious QuickTime file may cause the realloc peration to return NULL, by
specifying a very large STSZ atom Sample Size. At line 1822, this value is dereferenced, crashing mplayer.

[compn]

demux_mov is dead now, as -demuxer lavf is default for mov files, closing bug.