By Rich Patulski –
VLC media player is a free and open source cross-platform multimedia player maintained by the VideoLANOrganization. VLC runs on five platforms, handles just about every media medium, and a wide verity of media formats. On top of these complex features, the project is written in c/c++, this makes it a primary target to find and exploit security vulnerabilities in.
In June, 2016 a buffer overflow vulnerable was found in the file /modules/codec/adpcm.c, which handles the decoding of an audio compression format called, IMA4. This format is specifically used in QuickTime files. The CVE Number of this vulnerability is CVE-2016-5108.
The picture below shows the selection of code that is vulnerable to a buffer overflow.
The vulnerability starts on line 589 with the for loop. The for loop is looping through the adpcm_ima_wav_channel_t array on line 582, which is statically set to a size of two. The vulnerability raises when the ending range of the loop, p_dec->fmt_in.audio.i_channels, is never checked against the static size of the array, channel. The i_channels’s values comes from the user’s media file entered to VLC. This means that an attacker could make a malformed media file that uses the ima4 compression to execute a buffer overflow on a victim’s machine. It’s possible that this vulnerability could turn into a remote code execution vulnerable because VLC allows a user to stream media from a server on a network.
The picture above shows the patch for the vulnerability in the function, DecodeAdpcmImaQT.
This patch is in the same file as the vulnerability, but in a function that calls the DecodeAdpcmImaQT function. The patch is simply checking that the size of i_channels variable is not larger than the channel array created in DecodeAdpcmImaQT.