Recently, two significant vulnerabilities related to memory corruption have been uncovered in the popular VLC media player.
These vulnerabilities were found in the Microsoft Media Server (MMS), which has two implementations in VLC: MMS over TCP (MMST) and MMS over HTTP (MMSH). These vulnerabilities could potentially create security breaches and cause harm to users.
The GetPacket function that is responsible for receiving packets was found to contain two significant vulnerabilities – Heap Overflow and Integer Underflow.
Although the vulnerabilities have been identified, the CVEs for these issues are still pending assignment. It is crucial to address these vulnerabilities promptly to ensure the security of the system.
Packet Receiving Format
2 bytes | 2 bytes | 4 bytes | 2 bytes | 2 bytes | n bytes |
i_type | i_size | i_sequence | i_unknown | i_size2 | data |
GetPacket – Heap overflow
According to the reports, 3 data sequences were received in VLC. 4 bytes of type and i_size describing the next read’s size. 8 bytes of the headers like i_sequence, i_unknown, and i_size2. The third sequence was reading the data.
However, when calculating the read sequence, instead of reducing it to 12 bytes, it is only reduced to 8 bytes, resulting in buffer overflow.
GetPacket – Integer underflow
As mentioned, the data size is calculated to be 8 bytes. Additionally, the i_size2 is controlled by the user, which could result in an underflow. According to the definitions, the data type of i_size2 is uint16_t.
We can copy the uint16 to the int and subtract 8 to get an int underflow due to the disassembly of the relevant function.
A complete report about these vulnerabilities has been published on GitHub, providing detailed information about the source code, method of exploitation, and other additional information.
Users of VLC are recommended to upgrade to version 3.0.20 to fix these vulnerabilities and prevent them from getting exploited by threat actors.
Secures your storage & backup systems With StorageGuard – Watch a 40-second Video Tour.