Back to list
XSA-2004-5: heap overflow in DVD subpicture decoder
Sep 06 2004 07:38PM
Michael Roitzsch (mroi users sourceforge net)
-----BEGIN PGP SIGNED MESSAGE-----
xine security announcement
A heap overflow has been found in the DVD subpicture decoder of xine-lib. This
can be used for a remote heap overflow exploit, which can, on some systems,
lead to or help in executing malicious code with the permissions of the user
running a xine-lib based media application.
When a xine-lib based media application is playing content including DVD
subpictures, the subtitle decoder converts the DVD subpictures, which are
essentially run-length encoded bitmaps, into xine-lib's own internal
subpicture format. The result of this conversion is written to a dynamically
allocated memory block on the heap. This memory block can overrun with
DVD subpictures are stored in two fields. The first containing the odd
numbered lines, the second containing the even numbered lines. Offsets in the
subpicture header indicate the beginning of each field in the RLE data. When
these two fields are now stored in an overlapping manor, so that the
beginning of the second field reuses RLE data from the end of the first, the
resulting xine overlay will use up more space than previously allocated,
because the allocation did not take this possibility into account.
Since DVD subpictures do not only occur on DVDs, but may also be used in
standalone MPEG files, an attacker can craft a malicious MPEG file containing
such a subpicture with overlapping fields. This can be used to overflow the
heap buffer, which can, with certain implementations of heap management, lead
to attacker chosen data written to the stack. By placing such a MPEG file on
the internet and tricking users to view it using network streaming, this is
This is very difficult to exploit, because multiple indirections are involved:
Firstly, the DVD subpicture data is expanded to xine-lib's internal
subpicture format before it is written to the heap. Secondly, the heap
overlow needs to alter heap management information in a way so that a return
adress on the stack is modified. Thirdly, this adress must lead to some
malicious code to be executed, which needs to be injected somehow.
Although the involved xine plugin is part of the standard xine installation,
we consider this problem to be only moderately severe, because of the
difficulty in exploiting it.
All 0.5 releases starting with and including 0.5.2.
All 0.9 releases.
All 1-alpha releases.
All 1-beta releases.
All 1-rc releases up to and including 1-rc5.
All releases older than 0.5.2.
1-rc6 or newer.
The enclosed patch which has been applied to xine-lib CVS fixes the problem
but should only be used by distributors who do not want to upgrade.
Otherwise, we strongly advise everyone to upgrade to the 1-rc6 release of
As a temporary workaround, you may delete the file "xineplug_decode_spu.so"
from the xine-lib plugin directory, losing the ability to decode DVD
subpictures with xine-lib.
For further information and in case of questions, please contact the xine
team. Our website is http://xinehq.de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus