Bugtraq mailing list archives

Re: EEYE: RealPlayer pnen3260.dll Heap Overflow

From: Chenghuai Lu <luchenghuai () yahoo com>
Date: Tue, 5 Oct 2004 07:54:52 -0700 (PDT)

Hi Marc and all,

I have a question here.

The code in pnen3260.dll among other things is
responsible for handling
.rm files. The vulnerability is triggered by setting
the length field of
the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF
this will cause an
integer overflow which leads to a small block of
memory being allocated,
we call this movie from a SMIL file to handle the
initial exception,
eventually overflowing the buffer.


I check the Real Media file format at:
http://home.pcisys.net/~melanson/codecs/rmff.htm

According to what I understand, a data chunk has a
4-byte object_id as "DATA". This makes me a little
confused. What does a VIDORV30 data chunk mean? How do
I differentiate a general data chunk from a VIDORV30
data chunk?

Thank you in advance for any advice.




                
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com

Current thread:

EEYE: RealPlayer pnen3260.dll Heap Overflow Marc Maiffret (Oct 01)
- Re: EEYE: RealPlayer pnen3260.dll Heap Overflow Chenghuai Lu (Oct 05)