Analysis of a buffer overflow in VLC media player

By Rich Patulski –

Introduction

VLC media player is a free and open source cross-platform multimedia player maintained by the VideoLANOrganization. VLC runs on five platforms, handles just about every media medium, and a wide verity of media formats.  On top of these complex features, the project is written in c/c++, this makes it a primary target to find and exploit security vulnerabilities in.

Background

In June, 2016 a buffer overflow vulnerable was found in the file /modules/codec/adpcm.c, which handles the decoding of an audio compression format called, IMA4. This format is specifically used in QuickTime files. The CVE Number of this vulnerability is CVE-2016-5108.

Exploit

The picture below shows the selection of code that is vulnerable to a buffer overflow.

picture1

The vulnerability starts on line 589 with the for loop.  The for loop is looping through the adpcm_ima_wav_channel_t array on line 582, which is statically set to a size of two. The vulnerability raises when the ending range of the loop, p_dec->fmt_in.audio.i_channels, is never checked against the static size of the array, channel. The i_channels’s values comes from the user’s media file entered to VLC.  This means that an attacker could make a malformed media file that uses the ima4 compression to execute a buffer overflow on a victim’s machine. It’s possible that this vulnerability could turn into a remote code execution vulnerable because VLC allows a user to stream media from a server on a network.

picture2

The picture above shows the patch for the vulnerability in the function, DecodeAdpcmImaQT.

This patch is in the same file as the vulnerability, but in a function that calls the DecodeAdpcmImaQT function. The patch is simply checking that the size of i_channels variable is not larger than the channel array created in DecodeAdpcmImaQT.

 

Research Links:

https://wiki.multimedia.cx/index.php?title=IMA_ADPCM

http://seclists.org/oss-sec/2016/q2/421

http://www.videolan.org/security/sa1601.html

https://www.cvedetails.com/cve/CVE-2016-5108/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s