Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.
RealNetworks RealPlayer FLV Parsing Multiple Integer Overflow Vulnerabilities
Reference ID: SSA-1008Affected product / versions: RealNetworks RealPlayer <= 12.0.0.301
This advisory comprises two Heap Overflow vulnerabilities in RealPlayer when parsing maliciously crafted .flv files. While parsing user-controlled input data of types HX_FLV_META_AMF_TYPE_MIXEDARRAY and HX_FLV_META_AMF_TYPE_ARRAY the function ParseKnownType trusts a user-controlled DWORD value as size for the allocation of a structure array. Since the structure is of size 0x23, any value
= 0x7507508 will cause the allocation of a small-sized buffer (0x23 * 0x7507508 == 0x18 an 32bit systems) and leads to a Heap Overflow right afterwards.
References:
ZDI-10-167
Patch on Realnetworks homepage