iSEC Partners Security Advisory - 2007-001-vlc http://www.isecpartners.com ---------------------------------------------- VLC 0.8.6b format string vulnerability & integer overflow Vendor: VideoLan Vendor URL: http://www.videolan.org Systems Affected: Confirmed on Windows XP, FreeBSD 6.2, MacOS X 10.4 Severity: High (memory access violations, potential code execution) Author: David Thiel <david [at] isecpartners.com> Vendor notified: 2007-06-05 Public release: 2007-06-21 Advisory URL: http://www.isecpartners.com/advisories/2007-001-vlc.txt Vendor Advisory: http://www.videolan.org/sa0702.html Summary: -------- VLC is vulnerable to a format string attack in the parsing of Vorbis comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP service discovery messages. Additionally, there are two errors in the handling of wav files, one a denial of service due to an uninitialized variable, and one integer overflow in sampling frequency calculations. Details: -------- The input_vaControl function in input.c calls vasprintf() with an externally-supplied format string, as specified in the value of a Vorbis comment. This can lead to arbitrary code execution. An excessively large sample rate causes an integer overflow, resulting in a SEGV in __status_Update in stats.c. An uninitialized i_nb_resamplers in input.c can cause a crash during audio stream processing. Fix Information: ---------------- These issues are fixed version 0.8.6c. Workarounds for previous versions are documented in the vendor advisory. About iSEC Partners: -------------------- iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. 115 Sansome Street, Suite 1005 San Francisco, CA 94104 Phone: (415) 217-0052
