[vlc-devel] stream_out: rtp: fix invalid memory access (write)

Fabian Yamaguchi fabian.yamaguchi at cs.uni-goettingen.de
Sun Dec 7 17:56:33 CET 2014


Hi,

> And if you claim that something has a vulnerability, you have better
be ready
> to prove it.

I did so for the RTP-bug, the MP4 bug and the bug in the updater. For
the RTP bug, I sent you the trigger twice now, showing that the
allocation on the stack is problematic as also suggested here:

https://www.securecoding.cert.org/confluence/display/seccode/MEM05-C.+Avoid+large+stack+allocations

For FTP and SAP, I merely introduced the same patch to be on the save
side. I do not see why you think the patch has not been self-review.

That being said, I'm not going to attempt to write more patches for you,
it's simply not my job.

The state now, however, is that the patches were mostly undone, leaving
three confirmed vulnerabilities in the code (RTP, MP4 and Updater), that
I have proven to exist.

The question that remains: will anybody fix these bugs? If not, I would
suggest that we at least inform oss-security so that anybody who wants
to patch this can.

Best,
Fabian

> 
>> I agree that the SIZE_MAX check is esoteric as a string that spans the
>> entire address space will not exist on the target systems. I just added
>> it to ensure that an integer overflow cannot occur in the allocation
>> regardless of what funny changes the platform introduces over time. Feel
>> free to discard the check, if it hurts your eyes, however, the point of
>> the patch is to ensure that memory is allocated on the heap and not the
>> stack.
> 
> No, it is not *only* about SIZE_MAX.
> I still fail to see how there can be a stack overflow in SAP and in FTP.
> 
> I also strongly suspect the stream_Size() patch will raise an issue in 
> Coverity because the fix is somewhat wrong.
> 




More information about the vlc-devel mailing list