Bugzilla – Bug 984382
VUL-0: vlc: Buffer Overflow in Processing QuickTime IMA Files (VideoLAN-SA-1601)
Last modified: 2016-08-05 06:52:49 UTC
http://www.videolan.org/security/sa1601.html Security Advisory 1601 Summary : Buffer Overflow in Processing QuickTime IMA Files Date : June 2016 Affected versions : VLC media player 2.2.3 and earlier ID : VideoLAN-SA-1601 CVE reference : CVE-2016-5108 Details A remote user can create a specially crafted QuickTime IMA file that, when loaded by the target user, will trigger a buffer overflow in DecodeAdpcmImaQT() in 'modules/codec/adpcm.c'. Impact If successful, a malicious third party could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user. Threat mitigation: Exploitation of those issues requires the user to explicitly open a specially crafted file or stream. ASLR and DEP help reduce exposure, but may be bypassed. Workarounds: The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Solution: VLC media player 2.2.4 addresses the issue.
https://git.videolan.org/?p=vlc/vlc-2.2.git;a=commit;h=c2d2c3698e47402ec36ecc6c8a85781dbd88b6a9 from https://git.videolan.org/?p=vlc.git;a=commit;h=458ed62bbeb9d1bddf7b8df104e14936408a3db9 From c2d2c3698e47402ec36ecc6c8a85781dbd88b6a9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Rafa=C3=ABl=20Carr=C3=A9?= <funman@videolan.org> Date: Wed, 25 May 2016 10:00:25 +0200 Subject: [PATCH] adpcm: reject invalid QuickTime IMA files DecodeAdpcmImaQT() can only decode up to stereo files. Fix out of bound write. Reported by: Patrick Coleman <blinken@gmail.com> Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org> (cherry picked from commit 458ed62bbeb9d1bddf7b8df104e14936408a3db9) Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org> --- modules/codec/adpcm.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/codec/adpcm.c b/modules/codec/adpcm.c index e655c45..0071077 100644 --- a/modules/codec/adpcm.c +++ b/modules/codec/adpcm.c @@ -174,6 +174,12 @@ static int OpenDecoder( vlc_object_t *p_this ) switch( p_dec->fmt_in.i_codec ) { case VLC_FOURCC('i','m','a', '4'): /* IMA ADPCM */ + if (p_dec->fmt_in.audio.i_channels > 2) { + free(p_sys); + msg_Err(p_dec, "Invalid number of channels %i", + p_dec->fmt_in.audio.i_channels ); + return VLC_EGENERIC; + } p_sys->codec = ADPCM_IMA_QT; break; case VLC_CODEC_ADPCM_IMA_WAV: /* IMA ADPCM */ -- 1.7.10.4
CVSS2 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) thanks!
openSUSE-SU-2016:1651-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 973354,984382 CVE References: CVE-2016-3941,CVE-2016-5108 Sources used: openSUSE 13.2 (src): vlc-2.1.6-2.10.1
openSUSE-SU-2016:1652-1: An update that fixes 5 vulnerabilities is now available. Category: security (important) Bug References: 952051,954980,984382 CVE References: CVE-2015-7981,CVE-2015-8126,CVE-2016-1514,CVE-2016-1515,CVE-2016-5108 Sources used: openSUSE Leap 42.1 (src): vlc-2.2.4-27.1
Updates for this have been released