VideoLAN VLC media player是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV, MP3等)等。 VLC媒体播放器在解析畸形的cue文件时存在栈溢出漏洞,以下是modules\access\vcd\cdrom.c文件中的有漏洞代码段: [...] 913 /* Try to parse the i_tracks and p_sectors info so we can just forget 914 * about the cuefile */ 915 if( i_ret == 0 ) 916 { 917 [1] int p_sectors[100]; 918 int i_tracks = 0; 919 int i_num; 920 char psz_dummy[10]; 921 922 [2] while( fgets( line, 1024, cuefile ) ) 923 { 924 /* look for a TRACK line */ 925 if( !sscanf( line, "%9s", psz_dummy ) || 926 strcmp(psz_dummy, "TRACK") ) 927 continue; 928 929 /* look for an INDEX line */ 930 [3] while( fgets( line, 1024, cuefile ) ) 931 { 932 int i_min, i_sec, i_frame; 933 934 [4] if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num, 935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) ) 936 continue; 937 938 [5] i_tracks++; 939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame); 940 msg_Dbg( p_this, "vcd track %i begins at sector:%i",...
VideoLAN VLC media player是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV, MP3等)等。 VLC媒体播放器在解析畸形的cue文件时存在栈溢出漏洞,以下是modules\access\vcd\cdrom.c文件中的有漏洞代码段: [...] 913 /* Try to parse the i_tracks and p_sectors info so we can just forget 914 * about the cuefile */ 915 if( i_ret == 0 ) 916 { 917 [1] int p_sectors[100]; 918 int i_tracks = 0; 919 int i_num; 920 char psz_dummy[10]; 921 922 [2] while( fgets( line, 1024, cuefile ) ) 923 { 924 /* look for a TRACK line */ 925 if( !sscanf( line, "%9s", psz_dummy ) || 926 strcmp(psz_dummy, "TRACK") ) 927 continue; 928 929 /* look for an INDEX line */ 930 [3] while( fgets( line, 1024, cuefile ) ) 931 { 932 int i_min, i_sec, i_frame; 933 934 [4] if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num, 935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) ) 936 continue; 937 938 [5] i_tracks++; 939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame); 940 msg_Dbg( p_this, "vcd track %i begins at sector:%i", 941 i_tracks - 1, p_sectors[i_tracks - 1] ); 942 break; 943 } 944 } [...] [1] 这个栈缓冲区可能被溢出 [2] + [3] 将cue文件中用户控制的数据存储到了line [4] 解析用户控制的数据并拷贝到i_min、i_sec和i_frame [5] i_tracks计数器递增 [6] 来自i_min、i_sec和i_frame的用户控制数据拷贝到了栈缓冲区p_sectors并将i_tracks用作数组索引。由于i_tracks没有上限,可以通过在cue文件中指定大量音轨溢出p_sectors栈缓冲区。 此外VLC媒体播放器在解析畸形的rt字幕文件时存在另一个栈溢出。以下是modules\demux\subtitle.c文件中的有漏洞代码段: [...] 1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle, int i_idx )1844 { 1845 VLC_UNUSED( i_idx ); 1846 demux_sys_t *p_sys = p_demux->p_sys; 1847 text_t *txt = &p_sys->txt; 1848 char *psz_text = NULL; 1849 [1] char psz_end[12]= "", psz_begin[12] = ""; 1850 1851 for( ;; ) 1852 { 1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0; 1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0; 1855 const char *s = TextGetLine( txt ); 1856 free( psz_text ); 1857 1858 if( !s ) 1859 return VLC_EGENERIC; 1860 1861 psz_text = malloc( strlen( s ) + 1 ); 1862 if( !psz_text ) 1863 return VLC_ENOMEM; 1864 1865 /* Find the good begining. This removes extra spaces at the 1866 beginning of the line.*/ 1867 char *psz_temp = strcasestr( s, "<time"); 1868 if( psz_temp != NULL ) 1869 { 1870 /* Line has begin and end */ 1871 [2] if( ( sscanf( psz_temp, 1872 "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\" %*[e|E]nd=\"%[^\"]%*[^>]%[^\n\r]", 1873 psz_begin, psz_end, psz_text) != 3 ) && 1874 /* Line has begin and no end */ 1875 [3] ( sscanf( psz_temp, 1876 "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\"%*[^>]%[^\n\r]", 1877 psz_begin, psz_text ) != 2) ) 1878 /* Line is not recognized */ 1879 { 1880 continue; 1881 } [...] [1] 栈缓冲区psz_end和psz_begin可能被溢出 [2] sscanf()函数从psz_temp所指向的用户控制字符串读取输入,未经任何边界检查便将用户控制的数据被存储到了psz_end和psz_begin。 [3] 同[2] char *s,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN]; STRING st; struct stat sbuf; /* have a mailbox specifier? */ if (mailbox = strchr (user,'+')) { *mailbox++ = '\0'; /* yes, tie off user name */ if (!*mailbox || !strcmp ("INBOX",ucase (strcpy (tmp,mailbox)))) mailbox = NIL; /* user+ and user+INBOX same as user */ } (..) user+folder命令行参数分别通过s和user字符指针到达deliver()和getusername()。folder部分与user部分分离并拷贝到tmp缓冲区。由于该缓冲区位于栈上,超长的文件夹名称就可以导致覆盖栈上数据。