[MPlayer-users] Two null pointer dereference bugs
wangtielei
wangtielei at icst.pku.edu.cn
Tue Jul 29 05:38:42 CEST 2008
Hi,
There are two null pointer dereference bugs in demux_open_real() function in /libmpdemux/demux_real.c. A crafted realmedia format file could cause mplayer crash.
The 1st one: If the length of mimetype string is zero, the pointer mimet is always NULL. Mplayer would crash when a null pointer is dereferenced ub strncmp() function.
char *descr, *mimet = NULL;
......
if ((len = stream_read_char(demuxer->stream)) > 0) {
mimet = malloc(len+1);
stream_read(demuxer->stream, mimet, len);
mimet[len] = 0;
mp_msg(MSGT_DEMUX, MSGL_INFO,"Stream mimetype: %s\n", mimet);
}
......
if (!strncmp(mimet,"audio/",6)) {
The 2nd one: If stream_id is larger than "MAX_A_STREAMS-1" or "MAX_V_STREAMS-1", both new_sh_video() function and new_sh_audio() function would return NULL.
demux_open_real() function doesn't check the return value of new_sh_video() function, and writes "sh->format" directly.
stream_id = stream_read_word(demuxer->stream);
sh_video_t *sh = new_sh_video(demuxer, stream_id);
mp_msg(MSGT_DEMUX, MSGL_INFO, MSGTR_VideoID, "real", stream_id);
sh->format = stream_read_dword_le(demuxer->stream); /* fourcc */
--------------------------------------------------------------------------------------
#define new_sh_video(d, i) new_sh_video_vid(d, i, i)
sh_video_t* new_sh_video_vid(demuxer_t *demuxer,int id,int vid){
if(id > MAX_V_STREAMS-1 || id < 0)
{
mp_msg(MSGT_DEMUXER,MSGL_WARN,"Requested video stream id overflow (%d > %d)\n",
id, MAX_V_STREAMS);
return NULL;
}
I constructed two crafted file which could cause Mplayer crash.
Tielei Wang
2008-07-29
wangtielei
More information about the MPlayer-users
mailing list