From: SourceForge.net <no...@so...> - 2006-11-28 01:19:57
|
Bugs item #1603458, was opened at 2006-11-27 10:41 Message generated for change (Comment added) made by rkay You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=109655&aid=1603458&group_id=9655 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: None Group: v1.1.2 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Roland Kay (rkay) Assigned to: Nobody/Anonymous (nobody) Summary: Probably buffer overrun exploit in Real Media input plugin Initial Comment: In the following code fragment from the Real Media input plugin "rulematches" is a static buffer with enough space for 16 ints. However, asmrp_match() does not take a parameter giving the size of the buffer and performs no bounds checking. This can be seen by examining asmrp_eval(). It would be possible, in principle, for a malicious server to create a rulebook that would cause arbitrary data to overwrite the stack. Creating a viable exploit would be rather tedious, but a DSO attack would be trivial. >8--------------------------------------------8< src/input/libreal/real.c:468 for (i=0; i<desc->stream_count; i++) { int j=0; int n; char b[64]; int rulematches[16]; lprintf("calling asmrp_match with:\n%s\n%u", desc->stream[i]->asm_rule_book, bandwidth); n=asmrp_match(desc->stream[i]->asm_rule_book, bandwidth, rulematches); ---------------------------------------------------------------------- >Comment By: Roland Kay (rkay) Date: 2006-11-28 09:19 Message: Logged In: YES user_id=1477903 Originator: YES Given the triviality of the fix, I thought it more expedient for someone with direct CVS access to update the code directly. I've been finding quite a few of these kinds of issues and, since I'm maintaining a separate code base, creating patches is not an insignificant amount of work. However, if I notice problems I think it important that I notify the authors. Thanks for supplying a patch; hopefully, someone can apply it. ---------------------------------------------------------------------- Comment By: JW (jw203198) Date: 2006-11-27 11:06 Message: Logged In: YES user_id=835230 Originator: NO I dunno .. but if you can understand the code enough to figure a possible problem wouldn't it be more expedient to just submit a patch? The fix is quite trivial. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=109655&aid=1603458&group_id=9655 |