Secunia

Multiple vulnerabilities have been reported in MPlayer, which can be exploited by malicious people to compromise a user's system.

1) An integer overflow in the "real_setup_and_get_header()" function when processing RTSP streams can be exploited to cause a heap-based buffer overflow by passing an extremely large "Content-Length" for a stream.

2) Boundary errors in some functions within the MMST streaming code can be exploited to cause stack-based buffer overflows via a specially crafted files.

3) A boundary error in the "demux_open_bmp()" function when parsing bitmaps can be exploited to cause a heap-based buffer overflow via a specially crafted bitmap image containing an overly large value in the "biClrUsed" field.

4) An unspecified boundary error within the PNM streaming code can be exploited to cause a heap-based buffer overflow.

5) An unspecified boundary error within mp3lib can be exploited to cause a buffer overflow.

The vulnerabilities have been reported in version 1.0pre5 and the CVS version. Prior versions may also be affected.

Solution
The vulnerabilities have been fixed in version 1.0pre5try2.
Further details available in Customer Area

Provided and/or discovered by
1-3) Discovered by anonymous person and reported via iDEFENSE.
2) Ariel Berkman
4+5) Reported by vendor.

Changelog
Further details available in Customer Area

Original Advisory
MPlayer:
http://mplayerhq.hu/pipermail/mplayer-announce/2004-December/000055.html

iDEFENSE:
http://www.idefense.com/application/poi/display?id=166&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=167&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=168&type=vulnerabilities

Ariel Berkman:
http://tigger.uic.edu/~jlongs2/holes/mplayer.txt

Deep Links
Links available in Customer Area