[vlc-devel] [RFC] VLC denial of service bugs
rem at videolan.org
Mon Jan 15 21:51:04 CET 2007
You may, or may not have seen sam's http://sam.zoy.org/zzuf/ "media
player debacle". You may also have seen the "VLC Media Player 0.8.6a
Unspecified Denial of Service Exploit".
Well, we all knew that was going to happen sooner or later.
As regards the last exploit, it's been fixed (by Sigmund, IIRC). Wrt
zzuf, the MPEG1/2 bugs seems to be within libmpeg2; I cannot reproduce
the A52 on trunk (though it's probably still there), and the ACC bug
*seems* to lie within libfaad.
I fixed the MPEG4/AVI and WMV bugs yesterday, but I would hardly be
surprised if there were other similar problems in the same files (I did
not review them, nor do I know anyone who did). In both case, the
demuxer would lamely assume that some chunk of data was as big as the
file content said, regardless of how much data could actually be read
from the file. There are probably many other such bugs in the tree.
I also suspect that there are many places were malloc/calloc/etc has to
be checked for errors and is not. If the allocation size if an 32-bits
(or larger) integer coming from some untrusted input, it can easily
exceed your available memory, malloc() returns NULL, and the segfault
will follow. Given large parts of VLC assumes malloc() never fails,
this is pretty terrific.
To sum it up, I think we are essentially f*cked :(
On a bright note, at the time of writing, we have a lower "lulz
potential" than that of mplayer even though we do not have Coverity
check our code, and have otherwise hardly if ever have had our code
inspected for vulnerabilities, judging by the number of CVE against VLC
(at the very moment, a single one that I know).
Another good news is that the potential interest in crashing your media
player is much lower than that of crashing your Internet-facing web
server; and most of the bugs involved cannot (I think) be leveraged to
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the vlc-devel