####################################################################### Luigi Auriemma Application: Xine http://xinehq.de Versions: <= 1.1.9 Platforms: GNU/Linux, FreeBSD, Solaris, Irix, Darwin/MacOS X, Windows, HPUX, OpenBSD, OS/2 Bug: heap overflow in rmff_dump_header Exploitation: remote Date: 08 Jan 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Xine is a player and a library used in many open source media players like Kaffeine, Totem and so on. ####################################################################### ====== 2) Bug ====== There is a heap overflow in the rmff_dump_header function in rmff.c called by rtsp_session_start when a Real Helix server is found, where the "max" field (the max size of buffer/rtsp_session->header) is not considered. From input/libreal/rmff.c: int rmff_dump_header(rmff_header_t *h, char *buffer, int max) { int written=0; rmff_mdpr_t **stream=h->streams; rmff_dump_fileheader(h->fileheader, &buffer[written]); written+=h->fileheader->size; rmff_dump_prop(h->prop, &buffer[written]); written+=h->prop->size; rmff_dump_cont(h->cont, &buffer[written]); written+=h->cont->size; if (stream) { while(*stream) { rmff_dump_mdpr(*stream, &buffer[written]); written+=(*stream)->size; stream++; } } rmff_dump_dataheader(h->data, &buffer[written]); written+=18; return written; } ####################################################################### =========== 3) The Code =========== use a SDP data like the following: a=Abstract:buffer;"QUFBQUFBQUFBQUFBQUFB...40000_of_QUFBQUFB's...FBQUFB" I have chosen QUFBQUFB because then it's decoded as AAAAAA ####################################################################### ====== 4) Fix ====== No fix #######################################################################