Bugtraq mailing list archives
Re: EEYE: RealPlayer pnen3260.dll Heap Overflow
From: Chenghuai Lu <luchenghuai () yahoo com>
Date: Tue, 5 Oct 2004 07:54:52 -0700 (PDT)
Hi Marc and all, I have a question here.
The code in pnen3260.dll among other things is responsible for handling .rm files. The vulnerability is triggered by setting the length field of the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF this will cause an integer overflow which leads to a small block of memory being allocated, we call this movie from a SMIL file to handle the initial exception, eventually overflowing the buffer.
I check the Real Media file format at: http://home.pcisys.net/~melanson/codecs/rmff.htm According to what I understand, a data chunk has a 4-byte object_id as "DATA". This makes me a little confused. What does a VIDORV30 data chunk mean? How do I differentiate a general data chunk from a VIDORV30 data chunk? Thank you in advance for any advice. __________________________________ Do you Yahoo!? Y! Messenger - Communicate in real time. Download now. http://messenger.yahoo.com
Current thread:
- EEYE: RealPlayer pnen3260.dll Heap Overflow Marc Maiffret (Oct 01)
- Re: EEYE: RealPlayer pnen3260.dll Heap Overflow Chenghuai Lu (Oct 05)