Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 May 2016 14:25:09 +0100
From: Patrick Coleman <blinken@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: VLC - crash and potential code execution when processing
 QuickTime IMA files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
write with user-controlled input.

The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
is filled with bytes from the input stream. However, it does not check
that the number of channels in the input stream is less than or equal
to the size of the buffer, resulting in an out-of-bounds write. The
number of channels is clamped at <= 5.

adpcm_ima_wav_channel_t channel[2];
...
for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
{
    channel[i_ch].i_predictor  = (int16_t)((( ( p_buffer[0] << 1 )|(
p_buffer[1] >> 7 ) ))<<7);
    channel[i_ch].i_step_index = p_buffer[1]&0x7f;
...

The mangling of the input p_buffer above and in
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
is a potential for remote code execution via a malicious media file.

Please find attached a POC which crashes VLC[1].

The vendor has confirmed the issue has been resolved and will be fixed
in VLC 2.2.4 and VLC 3.0.0.

Please allocate a CVE for this issue. If you require any further
information, please let me know.

Regards,

Patrick

1. Also <https://blinken.co/20160527_vlc_poc_chans4.mov>. SHA1
08e1e74cf4edf19dddcea1c4da14798654d16097




-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJXSEqFAAoJEFQwhhLHo8khRWYIAIEYBsLg+0nSeiUP2lBqqEEI
d3zt0QhlcZD4Jk5U/HDcdu6QvSI/cMLNBxEwLbgPJt/hyYWEaQbfYzxcHLYr0Sgs
VAK8hEr/XXNcgi7iU6ApLuHXXzHQ4bJrzk1QJhAgp6G7bhzwDm8qcU7VvifjZaCo
hNsHT3w7kmBC2s7tIfGu09ufhW1Nzvf86DPRvF3xS2R90TGM8jdvRpAFrrjmp7jY
tHJVCiM1Ln19BlkglNShtd53nGT7Y0pEUrmAcMdqxuUGFRGAQplbfJ5HNnxhPZsd
FpXfktaHotBhf4OcbU0W4c5hg4fP2ajaPRPpkqAKukr+izHKxYZ7J5qn1OI6k3o=
=GERz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ