From: SourceForge.net <no...@so...> - 2007-03-10 00:41:51
|
Bugs item #1676925, was opened at 2007-03-09 02:57 Message generated for change (Comment added) made by dgp85 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=109655&aid=1676925&group_id=9655 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: xine-lib Group: current cvs version >Status: Closed >Resolution: Fixed Priority: 9 Private: No Submitted By: Kees Cook (keescook) Assigned to: Nobody/Anonymous (nobody) Summary: DMO loader vulnerable to heap overflow Initial Comment: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1246 "The DMO_VideoDecoder_Open function in loader/dmo/DMO_VideoDecoder.c in MPlayer 1.0rc1 and earlier does not set the biSize before use in a memcpy, which allows user-assisted remote attackers to cause a buffer overflow and possibly execute arbitrary code." This code is also present in xine-lib. The very small patch for this is here: http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c?r1=22019&r2=22204 ---------------------------------------------------------------------- >Comment By: Diego Pettenò (dgp85) Date: 2007-03-10 01:41 Message: Logged In: YES user_id=60011 Originator: NO Thanks for reporting, fix committed in CVS now. ---------------------------------------------------------------------- Comment By: Kees Cook (keescook) Date: 2007-03-09 18:34 Message: Logged In: YES user_id=1226316 Originator: YES Also needs the same fix for src/libd32dll/DirectShow/DS_VideoDecoder.c ---------------------------------------------------------------------- Comment By: Kees Cook (keescook) Date: 2007-03-09 02:58 Message: Logged In: YES user_id=1226316 Originator: YES For completeness, the path in xine-lib is "src/libw32dll/dmo/" ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=109655&aid=1676925&group_id=9655 |