oCERT-2008-013 MPlayer Real demuxer heap overflow

Description:

The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination.

Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video file can be crafted in order to make the stream_read function reading or writing arbitrary amounts of memory.

The following patch fixes the issues: mplayer_demux_real.patch.

Affected version:

MPlayer <= 1.0_rc2

Fixed version:

MPlayer >= 1.0_rc3

Credit: vulnerability report and PoC code received from Felipe Andres Manzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>. We would like to thank Reimar Döffinger from the MPlayer team for patching the issue.

CVE: CVE-2008-3827

Timeline:

2008-08-12: vulnerability report received
2008-08-24: contacted mplayer maintainers
2008-08-25: maintainer provides patch
2008-08-28: reporter indicates that the patch is incomplete and sends new PoC
2008-09-15: maintainer provides updated patch
2008-09-16: reporter confirms patch
2008-09-29: advisory release
2008-09-30: corrected credit section
2008-09-30: added reference to publicly commited patch and PoC

References:
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_real.c?r1=27314&r2=27675
http://felipe.andres.manzano.googlepages.com/OCERT-2008-013Mplayer.tgz