oss-sec mailing list archives
Several reads out-of-bound in mplayer 1.1
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Tue, 10 Nov 2015 10:29:05 -0300
Some reads out-of-bound in functions asf_mmst_streaming_start and http_build_request are present in Mplayer 1.1-4.8 (tested in Ubuntu 14.04). Other versions are probably affected. Upstream is notified. How to reproduce: First, launch a dummy server: $ true | netcat -l 127.0.0.1 5002 Then, mplayer using valgrind: $ valgrind mplayer mms://127.0.0.1:5002 ==31830== Memcheck, a memory error detector ==31830== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==31830== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==31830== Command: mplayer mms://127.0.0.1:5002 ==31830== MPlayer 1.1-4.8 (C) 2000-2012 MPlayer Team mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Playing mms://127.0.0.1:5002. STREAM_ASF, URL: mms://127.0.0.1:5002 Resolving 127.0.0.1 for AF_INET6... Couldn't resolve name for AF_INET6: 127.0.0.1 Connecting to server 127.0.0.1[127.0.0.1]: 5002... Connected ==31830== Invalid read of size 4 ==31830== at 0x5A6792: asf_mmst_streaming_start (asf_mmst_streaming.c:595) ==31830== by 0x5A8AA8: open_s (asf_streaming.c:94) ==31830== by 0x54FD1F: open_stream_full (stream.c:186) ==31830== by 0x54F3D0: open_stream (open.c:65) ==31830== by 0x4321D9: main (mplayer.c:3223) ==31830== Address 0x153e0ef0 is 0 bytes inside a block of size 1 alloc'd ==31830== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31830== by 0x5A65E7: asf_mmst_streaming_start (asf_mmst_streaming.c:539) ==31830== by 0x5A8AA8: open_s (asf_streaming.c:94) ==31830== by 0x54FD1F: open_stream_full (stream.c:186) ==31830== by 0x54F3D0: open_stream (open.c:65) ==31830== by 0x4321D9: main (mplayer.c:3223) ==31830== ==31830== Invalid read of size 4 ==31830== at 0x5A67E6: asf_mmst_streaming_start (asf_mmst_streaming.c:597) ==31830== by 0x5A8AA8: open_s (asf_streaming.c:94) ==31830== by 0x54FD1F: open_stream_full (stream.c:186) ==31830== by 0x54F3D0: open_stream (open.c:65) ==31830== by 0x4321D9: main (mplayer.c:3223) ==31830== Address 0x153e0ef0 is 0 bytes inside a block of size 1 alloc'd ==31830== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31830== by 0x5A65E7: asf_mmst_streaming_start (asf_mmst_streaming.c:539) ==31830== by 0x5A8AA8: open_s (asf_streaming.c:94) ==31830== by 0x54FD1F: open_stream_full (stream.c:186) ==31830== by 0x54F3D0: open_stream (open.c:65) ==31830== by 0x4321D9: main (mplayer.c:3223) ==31830== Alert! EOF read error:: Operation now in progress pre-header read failed Resolving 127.0.0.1 for AF_INET6... Couldn't resolve name for AF_INET6: 127.0.0.1 Connecting to server 127.0.0.1[127.0.0.1]: 5002... connect error: Connection refused Failed, exiting. ==31830== Invalid read of size 4 ==31830== at 0x5AA4BA: http_build_request (http.c:478) ==31830== by 0x5AB409: http_send_request (network.c:261) ==31830== by 0x5AA827: http_streaming_start (http.c:725) ==31830== by 0x5AAF5B: open_s2 (http.c:936) ==31830== by 0x54FD1F: open_stream_full (stream.c:186) ==31830== by 0x54F3D0: open_stream (open.c:65) ==31830== by 0x4321D9: main (mplayer.c:3223) ==31830== Address 0x153ecf90 is 0 bytes inside a block of size 2 alloc'd ==31830== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==31830== by 0x5AA492: http_build_request (http.c:468) ==31830== by 0x5AB409: http_send_request (network.c:261) ==31830== by 0x5AA827: http_streaming_start (http.c:725) ==31830== by 0x5AAF5B: open_s2 (http.c:936) ==31830== by 0x54FD1F: open_stream_full (stream.c:186) ==31830== by 0x54F3D0: open_stream (open.c:65) ==31830== by 0x4321D9: main (mplayer.c:3223) ==31830== Resolving 127.0.0.1 for AF_INET6... Couldn't resolve name for AF_INET6: 127.0.0.1 Connecting to server 127.0.0.1[127.0.0.1]: 5002... connect error: Connection refused No stream found to handle url mms://127.0.0.1:5002 Exiting... (End of file) This issue was discovered using QuickFuzz and minimized manually Regards, Gus.
Current thread:
- Several reads out-of-bound in mplayer 1.1 Gustavo Grieco (Nov 10)
- Re: Several reads out-of-bound in mplayer 1.1 cve-assign (Nov 17)