[vlc-devel] Re: [RFC] VLC denial of service bugs
massiot at via.ecp.fr
Tue Jan 16 00:29:40 CET 2007
At 22:51 +0200 15/01/07, Rémi Denis-Courmont wrote:
>As regards the last exploit, it's been fixed (by Sigmund, IIRC). Wrt
>zzuf, the MPEG1/2 bugs seems to be within libmpeg2; I cannot reproduce
I happen to have some information on the libmpeg2 bug. A few years
ago I discussed with walken the libmpeg2 bugs remaining to be fixed.
Walken told me that he was aware of only one type of crash : invalid
motion vectors. The crash happens when the motion vector points
outside of the boundaries of the reference picture. This is easy to
trigger with zuff (change one bit in the motion code of macroblocks
in the corners, and *paf*).
Unfortunately checking the boundaries of every motion vector is quite
CPU-intensive (add several conditional branches in the macroblock
loop, which is the main loop...), therefore walken decided against
adding those checks. Some people may debate whether it is still
appropriate now that a single core can decode 100 MPEG-2 streams in
parallel, but bear in mind that it not that over-powered with
1920x1080 HDTV content (yet).
It is interesting to notice that the segmentation fault is a read
error (outside of the reference picture) but in no way the bug allows
to write to random locations. Walken suggested (but never wrote the
code) to set a signal handler on SIGSEGV, and whenever it got
triggered, to longjmp to a safe location and resync on the next slice
start code. Such approach has drawbacks too : playing with
sighandlers in a lib is rarely a good idea, especially within
multi-threaded programs, and I don't know if there is an equivalent
under non-UNIX operating systems.
This is the vlc-devel mailing-list, see http://www.videolan.org/vlc/
To unsubscribe, please read http://developers.videolan.org/lists.html
More information about the vlc-devel