oCERT-2008-013 MPlayer Real demuxer heap overflow
The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination.
Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video file can be crafted in order to make the stream_read function reading or writing arbitrary amounts of memory.
The following patch fixes the issues: mplayer_demux_real.patch.
MPlayer <= 1.0_rc2
MPlayer >= 1.0_rc3
Credit: vulnerability report and PoC code received from Felipe Andres Manzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>. We would like to thank Reimar Döffinger from the MPlayer team for patching the issue.
2008-08-12: vulnerability report received
2008-08-24: contacted mplayer maintainers
2008-08-25: maintainer provides patch
2008-08-28: reporter indicates that the patch is incomplete and sends new PoC
2008-09-15: maintainer provides updated patch
2008-09-16: reporter confirms patch
2008-09-29: advisory release
2008-09-30: corrected credit section
2008-09-30: added reference to publicly commited patch and PoC