[vlc-devel] Re: [RFC] VLC denial of service bugs

Christophe Massiot massiot at via.ecp.fr
Tue Jan 16 00:29:40 CET 2007

At 22:51 +0200 15/01/07, Rémi Denis-Courmont wrote:

>As regards the last exploit, it's been fixed (by Sigmund, IIRC). Wrt
>zzuf, the MPEG1/2 bugs seems to be within libmpeg2; I cannot reproduce

I happen to have some information on the libmpeg2 bug. A few years 
ago I discussed with walken the libmpeg2 bugs remaining to be fixed. 
Walken told me that he was aware of only one type of crash : invalid 
motion vectors. The crash happens when the motion vector points 
outside of the boundaries of the reference picture. This is easy to 
trigger with zuff (change one bit in the motion code of macroblocks 
in the corners, and *paf*).

Unfortunately checking the boundaries of every motion vector is quite 
CPU-intensive (add several conditional branches in the macroblock 
loop, which is the main loop...), therefore walken decided against 
adding those checks. Some people may debate whether it is still 
appropriate now that a single core can decode 100 MPEG-2 streams in 
parallel, but bear in mind that it not that over-powered with 
1920x1080 HDTV content (yet).

It is interesting to notice that the segmentation fault is a read 
error (outside of the reference picture) but in no way the bug allows 
to write to random locations. Walken suggested (but never wrote the 
code) to set a signal handler on SIGSEGV, and whenever it got 
triggered, to longjmp to a safe location and resync on the next slice 
start code. Such approach has drawbacks too : playing with 
sighandlers in a lib is rarely a good idea, especially within 
multi-threaded programs, and I don't know if there is an equivalent 
under non-UNIX operating systems.

Christophe Massiot.

This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://developers.videolan.org/lists.html

More information about the vlc-devel mailing list