Bug#414072: CVE-2007-1246: DMO decoder heap allocation overflow

Kees Cook Thu, 08 Mar 2007 17:52:40 -0800

Package: xine-lib
Version: 1.1.2+dfsg-2
Severity: grave
Tags: patch, security


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 says:

"The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in 
MPlayer 1.0rc1 and earlier does not set the biSize before use in a 
memcpy, which allows user-assisted remote attackers to cause a buffer 
overflow and possibly execute arbitrary code."

xine-lib has a copy of this code in src/libw32dll/.  Attached is the 
(tiny) patch I used in Ubuntu for 1.1.2.

-- 
Kees Cook                                            @outflux.net

--- xine-lib-1.1.2+repacked1.orig/src/libw32dll/dmo/DMO_VideoDecoder.c
+++ xine-lib-1.1.2+repacked1/src/libw32dll/dmo/DMO_VideoDecoder.c
@@ -118,6 +118,7 @@
      
         this->iv.m_bh = (BITMAPINFOHEADER*)malloc(bihs);
         memcpy(this->iv.m_bh, format, bihs);
+        this->iv.m_bh->biSize = bihs;
 
         this->iv.m_State = STOP;
         //this->iv.m_pFrame = 0;

Bug#414072: CVE-2007-1246: DMO decoder heap allocation overflow

Reply via email to