XINE format string bugs when handling non existen file Apr 29 2006 05:52AM
king_purba yahoo co uk
Author : KaDaL-X

email : king_purba (at) (dot) uk [email concealed]

website :

Software tested

Version : 0.99.4

Vendor :

Proof Of Concept :

Type in your unix console something like this :

kandangjamur$xine %p-%p.mp3

Then, there are two error alert box causing by this command :

1. There is no input pluggin available to handle

2. The specified file or mrl Plese check it twice (0x811ac8e-0xbe1fdabc.mp3) <-- format string error

Vulnerable code :

In src/xitk/main.c

/* (file name or mrl) */


snprintf(buffer, sizeof(buffer), "%s", _("The specified file or mrl is not found. Please check it twic



sprintf(buffer, "%s (%s)", buffer, (char *) data + data->parameters);


The vulnerable variable is (char *) data + data->parameters, but i don't analyze this code to make clear

this problem (sorry). By giving comment in sprintf() function can be used to fix this issue,

but many format string issue may be happen on file main.c causing by (char *) data + data->parameters

