Source: xine-lib Severity: grave Tags: security, patch Hi, the following CVE (Common Vulnerabilities & Exposures) id was published for xine-lib.
CVE-2008-5240[0]: | xine-lib 1.1.12, and other 1.1.15 and earlier versions, relies on an | untrusted input value to determine the memory allocation and does not | check the result for (1) the MATROSKA_ID_TR_CODECPRIVATE track entry | element processed by demux_matroska.c; and (2) PROP_TAG, (3) MDPR_TAG, | and (4) CONT_TAG chunks processed by the real_parse_headers function | in demux_real.c; which allows remote attackers to cause a denial of | service (NULL pointer dereference and crash) or possibly execute | arbitrary code via a crafted value. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. I am attaching the two patches by Will to this mail (even if I know you have them) in the hope they help others. I can confirm that both fix the described issues. Cheers Nico For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5240 http://security-tracker.debian.net/tracker/CVE-2008-5240 -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
From: Will Drewry <red...@ocert.org>
Date: Fri, 22 Aug 2008 20:50:31 -0500
Subject: Check sizes for Real PROP, MDPR and CONT chunks [CVE-2008-5240 parts 2-4]
diff -prauN xine-lib-1.1.15.orig/src/demuxers/demux_real.c xine-lib-1.1.15/src/demuxers/demux_real.c
--- xine-lib-1.1.15.orig/src/demuxers/demux_real.c 2008-08-22 13:48:27.000000000 -0500
+++ xine-lib-1.1.15/src/demuxers/demux_real.c 2008-08-22 16:36:56.000000000 -0500
@@ -430,8 +456,22 @@ static void real_parse_headers (demux_re
case MDPR_TAG:
case CONT_TAG:
{
+ if (chunk_size <= PREAMBLE_SIZE +
+ 2 /* 16-bit version */) {
+ xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
+ "demux_real: chunk_size too small for tag (%u)\n", chunk_size);
+ this->status = DEMUX_FINISHED;
+ return;
+ }
chunk_size -= PREAMBLE_SIZE;
uint8_t *const chunk_buffer = malloc(chunk_size);
+ if (!chunk_buffer) {
+ xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
+ "demux_real: could not allocated chunk_buffer of size %u\n",
+ chunk_size);
+ this->status = DEMUX_FINISHED;
+ return;
+ }
if (this->input->read(this->input, chunk_buffer, chunk_size) !=
chunk_size) {
free (chunk_buffer);
@@ -450,6 +490,13 @@ static void real_parse_headers (demux_re
this->status = DEMUX_FINISHED;
return;
}
+ if (chunk_size < 38) {
+ xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
+ "demux_real: chunk too small for PROP_TAG\n");
+ free(chunk_buffer);
+ this->status = DEMUX_FINISHED;
+ return;
+ }
this->duration = _X_BE_32(&chunk_buffer[22]);
this->index_start = _X_BE_32(&chunk_buffer[30]);
@@ -475,7 +522,16 @@ static void real_parse_headers (demux_re
continue;
}
- mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer);
+ mdpr_t *const mdpr = real_parse_mdpr (chunk_buffer, chunk_size);
+ if (mdpr) {
+ xprintf(this->stream->xine, XINE_VERBOSITY_DEBUG,
+ "demux_real: failed to parse mdpr\n");
+ if (chunk_buffer) free(chunk_buffer);
+ this->status = DEMUX_FINISHED;
+ return;
+ }
+
+
lprintf ("parsing type specific data...\n");
if(!strcmp(mdpr->mime_type, "audio/X-MP3-draft-00")) {
From: Will Drewry <red...@ocert.org>
Date: Fri, 22 Aug 2008 20:50:31 -0500
Subject: Check for
diff -prauN xine-lib-1.1.15.orig/src/demuxers/demux_matroska.c xine-lib-1.1.15/src/demuxers/demux_matroska.c
--- xine-lib-1.1.15.orig/src/demuxers/demux_matroska.c 2008-08-22 13:48:27.000000000 -0500
+++ xine-lib-1.1.15/src/demuxers/demux_matroska.c 2008-08-22 13:57:47.000000000 -0500
@@ -1181,6 +1181,8 @@ static int parse_track_entry(demux_matro
case MATROSKA_ID_TR_CODECPRIVATE: {
char *codec_private = malloc (elem.len);
lprintf("CodecPrivate\n");
+ if (!codec_private)
+ return 0;
if (!ebml_read_binary(ebml, &elem, codec_private)) {
free(codec_private);
return 0;
pgpDk7bQ5W6mG.pgp
Description: PGP signature
