Secunia

Some vulnerabilities have been reported in MPlayer, which can be exploited by malicious people to compromise a user's system.

1) A boundary error exists within the libmpdemux/demux_audio.c file when parsing FLAC comments. This can be exploited to corrupt memory via a specially crafted FLAC file.

2) An array indexing error exists within the libmpdemux/demux_mov.c file when parsing MOV file headers. This can be exploited to corrupt heap memory via a specially crafted MOV file.

3) A boundary error exists within the "url_scape_string()" function in stream/url.c. This can be exploited to cause a buffer overflow via a specially crafted URL.

4) A boundary error exists within the "cddb_parse_matches_list()" and "cddb_query_parse()" functions in stream/stream_cddb.c. This can be exploited to cause a stack-based buffer overflow via an overly long album title received from a CDDB server.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are reported in version 1.0rc2. Prior versions may also be affected.

Solution
Apply vendor patches.
Further details available in Customer Area

Provided and/or discovered by
1) Damian Frizza and Alfredo Ortega, Core Security Technologies
2) Felipe Manzano and Anibal Sacco, Core Security Technologies
3, 4) Adam Bozanich, Mu Security.

Changelog
Further details available in Customer Area

Original Advisory
MPlayer:
http://www.mplayerhq.hu/design7/news.html

Core Security Technologies:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060032.html
http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060033.html

Mu Security:
http://labs.musecurity.com/2008/02/14/multiple-remote-arbitrary-execution-vulnerabilities-in-mplayer/

Deep Links
Links available in Customer Area