oss-sec mailing list archives

Re: [oCERT-2015-009] VLC arbitrary pointer dereference

From: Loren <loren () trailofbits com>
Date: Thu, 20 Aug 2015 17:27:57 -0400

POC for oCERT#2015-009 VLC arbitrary pointer dereference

Running VLC v2.2.1 with sample_crash causes a segmentation fault on 0xccddeeff, an address read in from 0x1b6e6 in the 
sample_crash file. After this address is freed, vlc then attempts to free the next four bytes in the file, 0x1122331e. 

This data can be changed in the sample_crash file to free two arbitrary addresses. 

sample_crash : http://s000.tinyupload.com/?file_id=94915905821495818830 
<http://s000.tinyupload.com/index.php?file_id=94915905821495818830> 

-Loren Maggiore

Attachment: smime.p7s
Description:

Current thread:

[oCERT-2015-009] VLC arbitrary pointer dereference Andrea Barisani (Aug 20)
- Re: [oCERT-2015-009] VLC arbitrary pointer dereference Alessandro Ghedini (Aug 20)
- <Possible follow-ups>
- Re: [oCERT-2015-009] VLC arbitrary pointer dereference Loren (Aug 20)