[MPlayer-dev-eng] buffer overflow of the month

The Wanderer inverseparadox at comcast.net
Thu Aug 25 23:55:53 CEST 2005


Attila Kinali wrote:

> On Thu, 25 Aug 2005 13:24:18 -0400 The Wanderer
> <inverseparadox at comcast.net> wrote:
> 
>> On the date cited in that text file for 'vendor contacted', there
>> is a post by someone with the name cited in 'issue found by' on
>> -users which appears at a glance to contain the same information as
>> the text file. I don't know why there was no reaction (people were
>> busy and didn't notice it?), but he does not appear to be lying.

(Clarification: I do not necessarily consider this to qualify as "vendor
contacted", either - but *he* apparently does. His attempt at contacting
the people responsible for fixing the problem, which is what "vendor"
apparently means in this context, may not have been very well directed,
but he did make it; my primary point was that he was not sufficiently
scum as to have made the attempt up out of whole cloth.)

> I can tell you why nobody reacted: It is neither a security advisory
> nor a bugreport. It's just a mail from a lame user who thinks he
> found something. (Yes, you might quote me on this)
> 
> We now have the sample file, but noone of us can reproduce the
> segfault. If you want to try it yourself, join us on irc or contact
> me off list (i dont want to make the url too public).

I'd be interested in general terms, but I doubt I'd be able to
contribute much which the rest of you haven't already, aside from
providing one more environment in which to test.

Just to confirm (since I'm occasionally mildly paranoid, and anyway it
doesn't hurt to be certain): those of you attempting to reproduce the
problem are doing so with the versions he cited, not with latest CVS?
Because even if the problem doesn't exist in current CVS (which he
apparently didn't test), it might have existed previously - in which
case Sven Tantau can be taunted still further, and the official project
response can be "we had fixed it already, he just didn't test CVS".
(That ties back in to the "need for more-frequent official releases"
discussion which took place not long back... but is valid anyway.)

> Anyways, i plan to write a news entry on this flaming this guy to
> death. But first i want to be sure that it cannot be exploited at all
> (yes, i know it's the audio buffer which is on heap, but i want to be
> damn sure before i write something)

I'd say that's about the right attitude, all round.

-- 
       The Wanderer

Warning: Simply because I argue an issue does not mean I agree with any
side of it.

A government exists to serve its citizens, not to control them.




More information about the MPlayer-dev-eng mailing list