[vlc-devel] Security: Subtitle StripTags heap corruption, potentially exploitable. Patch included

Harry Sintonen sintonen at iki.fi
Sun Jan 16 19:01:32 CET 2011


On Sun, 16 Jan 2011, Harry Sintonen wrote:

>  Hello
>
> I ran into some corrupt mkv that'd crash vlc. Debugging revealed an issue in 
> StripTags() function: It can run past the input string termination resulting 
> in a heap corruption.
>
> Assuming the input string contains a '<' char but doesn't include the 
> terminating '>' the routine will run past end of the string termination. It 
> happens because of psz_subtitle += strcspn( psz_subtitle, ">" ); in 
> combination with psz_subtitle++; will advance psz_subtitle past the string 
> termination. Bytes after the string termination will be copied to the 
> destination buffer, smashing the heap.
>
> It is trivial to test this issue by calling StripTags with a specially 
> crafted input string such as "<foo\0crashme" (use valgrind or a similar tool 
> to track the corruption).

Here's a way to reproduce the issue:

1. download http://www.mediafire.com/file/jezxko22nyn
2. echo -ne '<foo\0crashme' | dd conv=notrunc bs=1 seek=877862 \
of=refined-australia-blu720p-sample.mkv
3. vlc --sub-language English refined-australia-blu720p-sample.mkv

Depending on your platform you might need to run a debugger such as 
valgrind to actually see the heap corruption.


> Diff fixing the issue follows:
>
> diff --git a/modules/codec/subsdec.c b/modules/codec/subsdec.c
> index 22c951e..d0beae8 100644
> --- a/modules/codec/subsdec.c
> +++ b/modules/codec/subsdec.c
> @@ -640,6 +640,9 @@ static char *StripTags( char *psz_subtitle )
>             *psz_text++ = *psz_subtitle;
>         }
>
> +        /* Security fix: Account for the case where input ends early */
> +        if( *psz_subtitle == '\0' ) break;
> +
>         psz_subtitle++;
>     }
>     *psz_text = '\0';
> diff --git a/modules/codec/subsusf.c b/modules/codec/subsusf.c
> index c69c454..3886c52 100644
> --- a/modules/codec/subsusf.c
> +++ b/modules/codec/subsusf.c
> @@ -1072,6 +1072,9 @@ static char *StripTags( char *psz_subtitle )
>             *psz_text++ = *psz_subtitle;
>         }
>
> +        /* Security fix: Account for the case where input ends early */
> +        if( *psz_subtitle == '\0' ) break;
> +
>         psz_subtitle++;
>     }
>     *psz_text = '\0';

After checking some more it appears that similar unsafe strcspn() usage is 
present in other parts of the source tree as well (at least 
modules/codec/subsdec.c/CreateHtmlSubtitle() looks suspect). Whether 
these actually translate to vulnerabilities depends on where the input 
originates and how the output is processed. Dynamically allocated output 
should be able to handle the source buffer run off.


   Regards,
-- 
l=2001;main(i){float o,O,_,I,D;for(;O=I=l/571.-1.75,l;)for(putchar(--l%80?
i:10),o=D=l%80*.05-2,i=31;_=O*O,O=2*o*O+I,o=o*o-_+D,o+_+_<4+D&i++<87;);puts
("  Harry 'Piru' Sintonen <sintonen at iki.fi> http://www.iki.fi/sintonen");}



More information about the vlc-devel mailing list