安全研究

安全漏洞
MPlayer多个整数溢出漏洞

发布日期:2006-03-29
更新日期:2006-03-29

受影响系统:
MPlayer MPlayer <= 1.0.20060329
描述:
BUGTRAQ  ID: 17295

MPlayer是一款基于Linux的媒体播放程序,支持多种媒体格式。

MPlayer中存在多个堆溢出漏洞,成功利用这些漏洞的攻击者可以在用户系统中执行任意指令。

具体漏洞如下:

[1]in libmpdemux/asfheader.c
- -----------------------------------
    218           asf_scrambling_h=buffer[0];
    219           asf_scrambling_w=(buffer[2]<<8)|buffer[1];
    220           asf_scrambling_b=(buffer[4]<<8)|buffer[3];
    221           asf_scrambling_w/=asf_scrambling_b;
char转换为int时值会为负数,导致asf_descrambling()发生堆溢出

[2]in libmpdemux/aviheader.c
- -----------------------------------
    218       s->wLongsPerEntry = stream_read_word_le(demuxer->stream);
    219       s->bIndexSubType = stream_read_char(demuxer->stream);
    220       s->bIndexType = stream_read_char(demuxer->stream);
    221       s->nEntriesInUse = stream_read_dword_le(demuxer->stream);
    222       *(uint32_t *)s->dwChunkId =
stream_read_dword_le(demuxer->stream);
    223       stream_read(demuxer->stream, (char *)s->dwReserved, 3*4);
    224       memset(s->dwReserved, 0, 3*4);
    225
    226       print_avisuperindex_chunk(s,MSGL_V);
    227
    228       msize = sizeof (uint32_t) * s->wLongsPerEntry *
s->nEntriesInUse;[ERROR]
    229       s->aIndex = malloc(msize);
    230       memset (s->aIndex, 0, msize);
    231       s->stdidx = malloc (s->nEntriesInUse * sizeof
(avistdindex_chunk));[ERROR]
    232       memset (s->stdidx, 0, s->nEntriesInUse * sizeof
(avistdindex_chunk));
    233
    234       // now the real index of indices
    235       for (i=0; i<s->nEntriesInUse; i++) {
    236           chunksize-=16;
    237           s->aIndex[i].qwOffset =
stream_read_dword_le(demuxer->stream) & 0xffffffff;
    238           s->aIndex[i].qwOffset |=
((uint64_t)stream_read_dword_le(demuxer->stream) & 0xffffffff)<<32;
    239           s->aIndex[i].dwSize =
stream_read_dword_le(demuxer->stream);
    240           s->aIndex[i].dwDuration =
stream_read_dword_le(demuxer->stream);
    241           mp_msg (MSGT_HEADER, MSGL_V, "ODML (%.4s): [%d]
0x%016"PRIx64" 0x%04x %u\n",
    242                   (s->dwChunkId), i,
    243                   (uint64_t)s->aIndex[i].qwOffset,
s->aIndex[i].dwSize, s->aIndex[i].dwDuration);
    244       }
两个整数溢出导致堆溢出。注意:aviheader.c中还存在其他整数溢出。

<*来源:XFOCUS Security Team (security@xfocus.org
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=114365009825129&w=2#-1
*>

建议:
厂商补丁:

MPlayer
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.mplayerhq.hu/homepage/design6/news.html

浏览次数:3141
严重程度:1(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客