Advisory Text :  

#######################################################################

Luigi Auriemma

Application: xine-lib
http://xinehq.de
Versions: <= 1.1.11
Platforms: Linux, *BSD, Solaris, Irix, MacOSX, Windows and others
Bugs: A] heap-overflow in demux_flv
B] heap-overflow in demux_qt
C] heap-overflow in demux_real
D] heap-overflow in demux_wc3movie
E] heap-overflow in ebml
F] heap-overflow in demux_film
Exploitation: local
Date: 20 Mar 2008
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

From developers website:
"xine is a free (gpl-licensed) high-performance, portable and reusable
multimedia playback engine. xine itself is a shared library with an
easy to use, yet powerful API which is used by many applications for
smooth video playback and video processing purposes."

The library and parts of its source code are widely used in many open
source players and projects.

#######################################################################

=======
2) Bugs
=======

xine-lib is affected by various heap overflow vulnerabilities caused by
the wrong 32 bit calculation of the amount of memory to allocate for
some destination buffers and arrays.
These bugs allow an attacker to control some registers or directly the
code flow (like with demux_qt) which could leat to the execution of
malicious code.
For brevity will be showed directly the instructions in the source code
which do these bad allocations.

-----------------------------
A] heap-overflow in demux_flv
-----------------------------

From src/demuxers/demux_flv.c:

static int parse_flv_var(demux_flv_t *this,
unsigned char *buf, int size, char *key, int
keylen) {
...
this->index = xine_xmalloc(num*sizeof(flv_index_entry_t));
...
this->index = xine_xmalloc(num*sizeof(flv_index_entry_t));

----------------------------
B] heap-overflow in demux_qt
----------------------------

Practically almost any allocation instruction in
src/demuxers/demux_qt.c is vulnerable to various types of heap
overflows.

------------------------------
C] heap-overflow in demux_real
------------------------------

From src/demuxers/demux_real.c:

static void real_parse_index(demux_real_t *this) {
...
*index = xine_xmalloc(entries * sizeof(real_index_entry_t));

----------------------------------
D] heap-overflow in demux_wc3movie
----------------------------------

From src/demuxers/demux_wc3movie.c:

static int open_mve_file(demux_mve_t *this) {
...
this->palettes = xine_xmalloc(this->number_of_shots * PALETTE_SIZE *
sizeof(palette_entry_t));

Note that the output buffer is filled using a special lookup table.

------------------------
E] heap-overflow in ebml
------------------------

From src/demuxers/ebml.c:

int ebml_check_header(ebml_parser_t *ebml) {
...
char *text = malloc(elem.len + 1);

------------------------------
F] heap-overflow in demux_film
------------------------------

From src/demuxers/demux_film.c:

static int open_film_file(demux_film_t *film) {
...
film->sample_table =
xine_xmalloc(film->sample_count * sizeof(film_sample_t));

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/xinehof.zip

#######################################################################

======
4) Fix
======

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org