[vlc] VLC Media Player Real Demuxer Integer Overflow Unpatched
Secunia Research
vuln at secunia.com
Wed Dec 3 14:40:56 CET 2008
Hello,
CVE-2008-5276 is still not properly patched in version 0.9.8.
The added "i_index_count > ( 0xffffffff / sizeof( rm_index_t ) )" check
is insufficient, allowing values of 0x15555555 to trigger the overflow.
I.e.:
(0x155555555 + 1) * sizeof(rm_index_t) = 0x15555556 * 12 = 0x8.
0xffffffff / sizeof(rm_index_t) = 0xffffffff / 12 = 0x15555555 =
i_index_count ==> not covered by the ">" check
The vulnerability is confirmed in version 0.9.8.
We have updated our advisory accordingly:
http://secunia.com/advisories/32942/
--
Alin Rad Pop
Security Specialist
Secunia
Hammerensgade 4, 2. floor
DK-1267 Copenhagen K
Denmark
Phone +45 7020 5144
Fax +45 7020 5145
More information about the vlc
mailing list