Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <3a4fbbc4-be6e-e410-21f0-0f32d12bafd9@gmail.com>
Date: Fri, 27 May 2016 14:25:09 +0100
From: Patrick Coleman <blinken@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: VLC - crash and potential code execution when processing
 QuickTime IMA files

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
write with user-controlled input.

The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
is filled with bytes from the input stream. However, it does not check
that the number of channels in the input stream is less than or equal
to the size of the buffer, resulting in an out-of-bounds write. The
number of channels is clamped at <= 5.

adpcm_ima_wav_channel_t channel[2];
...
for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
{
    channel[i_ch].i_predictor  = (int16_t)((( ( p_buffer[0] << 1 )|(
p_buffer[1] >> 7 ) ))<<7);
    channel[i_ch].i_step_index = p_buffer[1]&0x7f;
...

The mangling of the input p_buffer above and in
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
is a potential for remote code execution via a malicious media file.

Please find attached a POC which crashes VLC[1].

The vendor has confirmed the issue has been resolved and will be fixed
in VLC 2.2.4 and VLC 3.0.0.

Please allocate a CVE for this issue. If you require any further
information, please let me know.

Regards,

Patrick

1. Also <https://blinken.co/20160527_vlc_poc_chans4.mov>. SHA1
08e1e74cf4edf19dddcea1c4da14798654d16097




-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJXSEqFAAoJEFQwhhLHo8khRWYIAIEYBsLg+0nSeiUP2lBqqEEI
d3zt0QhlcZD4Jk5U/HDcdu6QvSI/cMLNBxEwLbgPJt/hyYWEaQbfYzxcHLYr0Sgs
VAK8hEr/XXNcgi7iU6ApLuHXXzHQ4bJrzk1QJhAgp6G7bhzwDm8qcU7VvifjZaCo
hNsHT3w7kmBC2s7tIfGu09ufhW1Nzvf86DPRvF3xS2R90TGM8jdvRpAFrrjmp7jY
tHJVCiM1Ln19BlkglNShtd53nGT7Y0pEUrmAcMdqxuUGFRGAQplbfJ5HNnxhPZsd
FpXfktaHotBhf4OcbU0W4c5hg4fP2ajaPRPpkqAKukr+izHKxYZ7J5qn1OI6k3o=
=GERz
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.