Description: Some vulnerabilities have been reported in MPlayer, which can be exploited by malicious people to compromise a user's system.
1) A boundary error exists within the libmpdemux/demux_audio.c file when parsing FLAC comments. This can be exploited to corrupt memory via a specially crafted FLAC file.
2) An array indexing error exists within the libmpdemux/demux_mov.c file when parsing MOV file headers. This can be exploited to corrupt heap memory via a specially crafted MOV file.
3) A boundary error exists within the "url_scape_string()" function in stream/url.c. This can be exploited to cause a buffer overflow via a specially crafted URL.
4) A boundary error exists within the "cddb_parse_matches_list()" and "cddb_query_parse()" functions in stream/stream_cddb.c. This can be exploited to cause a stack-based buffer overflow via an overly long album title received from a CDDB server.
Successful exploitation allows execution of arbitrary code.
The vulnerabilities are reported in version 1.0rc2. Prior versions may also be affected.
Provided and/or discovered by: 1) Damian Frizza and Alfredo Ortega, Core Security Technologies
2) Felipe Manzano and Anibal Sacco, Core Security Technologies
3, 4) Adam Bozanich, Mu Security.
Changelog: 2008-02-06: Added vulnerability #4 to the advisory. Updated "Solution" section.
2008-02-07: Added CVE reference.
2008-02-18: Added link to Mu Security.
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
