88 lines
No EOL
2.6 KiB
Text
88 lines
No EOL
2.6 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
- - Orange Bat advisory -
|
|
|
|
Name : VLC 0.8.6i
|
|
Class : Heap overflow
|
|
Published : 2008-08-16
|
|
Credit : g_ (g_ # orange-bat # com)
|
|
|
|
- - Details -
|
|
|
|
|
|
\modules\demux\tta.c
|
|
|
|
#define TTA_FRAMETIME 1.04489795918367346939
|
|
.
|
|
.
|
|
.
|
|
int i_seektable_size = 0, i;
|
|
.
|
|
.
|
|
.
|
|
/* Read the metadata */
|
|
es_format_Init( &fmt, AUDIO_ES, VLC_FOURCC( 'T', 'T', 'A', '1' ) );
|
|
fmt.audio.i_channels = GetWLE( &p_header[6] );
|
|
fmt.audio.i_bitspersample = GetWLE( &p_header[8] );
|
|
[1] fmt.audio.i_rate = GetDWLE( &p_header[10] );
|
|
|
|
p_sys->i_datalength = GetDWLE( &p_header[14] );
|
|
p_sys->i_framelength = TTA_FRAMETIME * fmt.audio.i_rate;
|
|
|
|
[2] p_sys->i_totalframes = p_sys->i_datalength / p_sys->i_framelength +
|
|
((p_sys->i_datalength % p_sys->i_framelength) ? 1 : 0);
|
|
p_sys->i_currentframe = 0;
|
|
|
|
[3] i_seektable_size = sizeof(uint32_t)*p_sys->i_totalframes;
|
|
p_seektable = (uint8_t *)malloc( i_seektable_size );
|
|
stream_Read( p_demux->s, p_seektable, i_seektable_size );
|
|
p_sys->pi_seektable = (uint32_t *)malloc(i_seektable_size);
|
|
|
|
for( i = 0; i < p_sys->i_totalframes; i++ )
|
|
[4] p_sys->pi_seektable[i] = GetDWLE( &p_seektable[i*4] );
|
|
|
|
|
|
[1] - we can set i_rate to 1
|
|
[2] - i_framelength = 1 (look for constant definition, it's ~1),
|
|
so i_totalframes = i_datalength
|
|
[3] - because we can set i_datalength to 2^30 and bacause
|
|
i_totalframes = i_datalength, multiplication will overflow
|
|
[4] - i_totalframes is positive (highest bit not set), so this loop will
|
|
spin 2^30 times, overwriting everything with data from the heap.
|
|
unfortunate thing is we have little control over what is written.
|
|
|
|
- - Proof of concept -
|
|
|
|
|
|
http://www.orange-bat.com/adv/2008/vlc.dos.tta
|
|
backup: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/6252.tta (2008-vlc.dos.tta)
|
|
|
|
- - PGP -
|
|
|
|
All advisories from Orange Bat are signed. You can find our public
|
|
key here: http://www.orange-bat.com/g_.asc
|
|
|
|
- - Disclaimer -
|
|
|
|
This document and all the information it contains is provided "as is",
|
|
without any warranty. Orange Bat is not responsible for the
|
|
misuse of the information provided in this advisory. The advisory is
|
|
provided for educational purposes only.
|
|
|
|
Permission is hereby granted to redistribute this advisory, providing
|
|
that no changes are made and that the copyright notices and
|
|
disclaimers remain intact.
|
|
|
|
(c) 2008 www.orange-bat.com
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.4.9 (MingW32)
|
|
|
|
iEYEARECAAYFAkimwoYACgkQIUHRVUfOLgW8hgCgmPcqqIlcLQpmH8u6wB2fVOHs
|
|
Zv4AoNNYWhzdknZOnPuChysoak1rMRsx
|
|
=4K3f
|
|
-----END PGP SIGNATURE-----
|
|
|
|
# milw0rm.com [2008-08-16] |