<<< Date Index >>>     <<< Thread Index >>>

XSA-2004-5: heap overflow in DVD subpicture decoder



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

xine security announcement
==========================

Announcement-ID: XSA-2004-5

Summary:
A heap overflow has been found in the DVD subpicture decoder of xine-lib. This 
can be used for a remote heap overflow exploit, which can, on some systems, 
lead to or help in executing malicious code with the permissions of the user 
running a xine-lib based media application.

Description:
When a xine-lib based media application is playing content including DVD 
subpictures, the subtitle decoder converts the DVD subpictures, which are 
essentially run-length encoded bitmaps, into xine-lib's own internal 
subpicture format. The result of this conversion is written to a dynamically 
allocated memory block on the heap. This memory block can overrun with 
certain subpictures:
DVD subpictures are stored in two fields. The first containing the odd 
numbered lines, the second containing the even numbered lines. Offsets in the 
subpicture header indicate the beginning of each field in the RLE data. When 
these two fields are now stored in an overlapping manor, so that the 
beginning of the second field reuses RLE data from the end of the first, the 
resulting xine overlay will use up more space than previously allocated, 
because the allocation did not take this possibility into account.
Since DVD subpictures do not only occur on DVDs, but may also be used in 
standalone MPEG files, an attacker can craft a malicious MPEG file containing 
such a subpicture with overlapping fields. This can be used to overflow the 
heap buffer, which can, with certain implementations of heap management, lead 
to attacker chosen data written to the stack. By placing such a MPEG file on 
the internet and tricking users to view it using network streaming, this is 
remotely exploitable.

Severity:
This is very difficult to exploit, because multiple indirections are involved: 
Firstly, the DVD subpicture data is expanded to xine-lib's internal 
subpicture format before it is written to the heap. Secondly, the heap 
overlow needs to alter heap management information in a way so that a return 
adress on the stack is modified. Thirdly, this adress must lead to some 
malicious code to be executed, which needs to be injected somehow.
Although the involved xine plugin is part of the standard xine installation,
we consider this problem to be only moderately severe, because of the 
difficulty in exploiting it.

Affected versions:
All 0.5 releases starting with and including 0.5.2.
All 0.9 releases.
All 1-alpha releases.
All 1-beta releases.
All 1-rc releases up to and including 1-rc5.

Unaffected versions:
All releases older than 0.5.2.
1-rc6 or newer.

Solution:
The enclosed patch which has been applied to xine-lib CVS fixes the problem
but should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of
xine-lib.
As a temporary workaround, you may delete the file "xineplug_decode_spu.so" 
from the xine-lib plugin directory, losing the ability to decode DVD 
subpictures with xine-lib.

Patch:
http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/libspudec/spu.c?r1=1.77&r2=1.78&diff_format=u

For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBPLy1jhx3hMVnyYsRAngbAJ0Vy0F9wde/qafkBiB58xI4hb+tfwCgi7Fn
5qKEG8iA7EG/f2Cm03YMtzU=
=wto9
-----END PGP SIGNATURE-----