[vlc-devel] [RFC] VLC denial of service bugs

Rémi Denis-Courmont rem at videolan.org
Mon Jan 15 21:51:04 CET 2007 

	Hey guys,

You may, or may not have seen sam's http://sam.zoy.org/zzuf/ "media 
player debacle". You may also have seen the "VLC Media Player 0.8.6a 
Unspecified Denial of Service Exploit".

Well, we all knew that was going to happen sooner or later.

As regards the last exploit, it's been fixed (by Sigmund, IIRC). Wrt 
zzuf, the MPEG1/2 bugs seems to be within libmpeg2; I cannot reproduce 
the A52 on trunk (though it's probably still there), and the ACC bug 
*seems* to lie within libfaad.

I fixed the MPEG4/AVI and WMV bugs yesterday, but I would hardly be 
surprised if there were other similar problems in the same files (I did 
not review them, nor do I know anyone who did). In both case, the 
demuxer would lamely assume that some chunk of data was as big as the 
file content said, regardless of how much data could actually be read 
from the file. There are probably many other such bugs in the tree.

I also suspect that there are many places were malloc/calloc/etc has to 
be checked for errors and is not. If the allocation size if an 32-bits 
(or larger) integer coming from some untrusted input, it can easily 
exceed your available memory, malloc() returns NULL, and the segfault 
will follow. Given large parts of VLC assumes malloc() never fails, 
this is pretty terrific.

To sum it up, I think we are essentially f*cked :(

On a bright note, at the time of writing, we have a lower "lulz 
potential" than that of mplayer even though we do not have Coverity 
check our code, and have otherwise hardly if ever have had our code 
inspected for vulnerabilities, judging by the number of CVE against VLC 
(at the very moment, a single one that I know).

Another good news is that the potential interest in crashing your media 
player is much lower than that of crashing your Internet-facing web 
server; and most of the bugs involved cannot (I think) be leveraged to 
run code.

-- 
Rémi Denis-Courmont
http://www.remlab.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20070115/a399f60b/attachment.sig>

More information about the vlc-devel mailing list