Analysis of a buffer overflow in VLC media player

By Rich Patulski –


VLC media player is a free and open source cross-platform multimedia player maintained by the VideoLANOrganization. VLC runs on five platforms, handles just about every media medium, and a wide verity of media formats.  On top of these complex features, the project is written in c/c++, this makes it a primary target to find and exploit security vulnerabilities in.


In June, 2016 a buffer overflow vulnerable was found in the file /modules/codec/adpcm.c, which handles the decoding of an audio compression format called, IMA4. This format is specifically used in QuickTime files. The CVE Number of this vulnerability is CVE-2016-5108.


The picture below shows the selection of code that is vulnerable to a buffer overflow.


The vulnerability starts on line 589 with the for loop.  The for loop is looping through the adpcm_ima_wav_channel_t array on line 582, which is statically set to a size of two. The vulnerability raises when the ending range of the loop, p_dec->, is never checked against the static size of the array, channel. The i_channels’s values comes from the user’s media file entered to VLC.  This means that an attacker could make a malformed media file that uses the ima4 compression to execute a buffer overflow on a victim’s machine. It’s possible that this vulnerability could turn into a remote code execution vulnerable because VLC allows a user to stream media from a server on a network.


The picture above shows the patch for the vulnerability in the function, DecodeAdpcmImaQT.

This patch is in the same file as the vulnerability, but in a function that calls the DecodeAdpcmImaQT function. The patch is simply checking that the size of i_channels variable is not larger than the channel array created in DecodeAdpcmImaQT.


Research Links:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s