[MPlayer-users] Potential integer overflow in open_registry().

tielei.wang tielei.wang at gmail.com
Mon Sep 8 05:08:32 CEST 2008 

Hi, all,

I think there's a potential integer overflow bug in open_registry() function in loader/registry.c.
Mplayer emulates responses from some Win32 API calls, such as open_registry().

I'm not sure whether we could trust a local file, but a malformed registry file could cause integer overflow in open_registry function, and result in
a heap overflow.

 fd = open(localregpathname, O_RDONLY);
 if (fd == -1)
 {
     printf("Creating new registry\n");
     create_registry();
     return;
 }
 read(fd, &reg_size, 4);
 regs=malloc(reg_size*sizeof(struct reg_value));

If reg_size is huge enough,  reg_size*sizeof(struct reg_value) will overflow, resulting in a small region allocation.

Regards, waiting for your reply.

2008-09-08 



tielei.wang

More information about the MPlayer-users mailing list