BUGTRAQ ID: 27441
CVE(CAN) ID: CVE-2008-0486
MPlayer是一款基于Linux的媒体播放程序,支持多种媒体格式。
MPlayer的libmpdemux/demux_audio.c文件在解析FLAC标注时存在栈溢出漏洞:
/-----------
libmpdemux/demux_audio.c
206 case FLAC_VORBIS_COMMENT:
207 {
208 /* For a description of the format please have a look at */
209 /* http://www.xiph.org/vorbis/doc/v-comment.html */
210
211 uint32_t length, comment_list_len;
212 (1) char comments[blk_len];
213 uint8_t *ptr = comments;
214 char *comment;
215 int cn;
216 char c;
217
218 if (stream_read (s, comments, blk_len) == blk_len)
219 {
220 (2) length = AV_RL32(ptr);
221 ptr += 4 + length;
222
223 comment_list_len = AV_RL32(ptr);
224 ptr += 4;
225
226 cn = 0;
227 for (; cn < comment_list_len; cn++)
228 {
229 length = AV_RL32(ptr);
230 ptr += 4;
231
232 comment = ptr;
233 (3) c = comment[length];
234 comment[length] = 0; ...
- -----------/
可见在(2)处length参数是从文件流中的位置加载的,然后未经任何验证便在comment缓冲区索引中使用,这可能触发栈溢出,导致执行任意代码。
MPlayer MPlayer 1.0 rc2
厂商补丁:
MPlayer
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href=http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff target=_blank>http://www.mplayerhq.hu/MPlayer/patches/url_fix_20080120.diff</a>
<a href=http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff target=_blank>http://www.mplayerhq.hu/MPlayer/patches/demux_mov_fix_20080129.diff</a>
<a href=http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff target=_blank>http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff</a>
暂无评论