Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system.

1) An integer overflow error in the parsing of QCP files can be exploited to cause a heap-based buffer overflow via a specially crafted file.

2) An error in the processing of dimensions in the YUV420 transformation of content can be exploited to corrupt memory via a specially crafted file.

3) A boundary error in the parsing of QCP audio content can be exploited to cause a heap-based buffer via specially crafted files containing certain overly large size values.

4) Two integer overflow errors in the "ParseKnownType()" function when handling the "HX_FLV_META_AMF_TYPE_MIXEDARRAY" and "HX_FLV_META_AMF_TYPE_ARRAY" data types can be exploited to corrupt memory via specially crafted FLV files.

5) An error in RealPlayer when handling multiple ActiveX IE Plugin instantiations can be exploited to execute arbitrary code.

6) Missing input validation when decoding QCP audio sample packets can be exploited to cause a heap-based buffer overflow.

7) An error in the RealPlayer G2 ActiveX control (rmoc3260.dll) due to incorrectly loading the "mmcdda32.dll" library when processing a CDDA URI may result in an uninitialised function pointer being called.

Successful exploitation of this vulnerability allows execution of arbitrary code.

8) An error in rjrmrpln.dll when allocating and later copying data into a heap buffer while parsing RJMDSections can be exploited to cause a heap-based buffer overflow.

9) An error in the RealPlayer ActiveX control when parsing URIs for certain protocol handlers can be exploited to cause a heap-based buffer overflow via an overly long URI with a ".smil" file extension.

10) An error in the RichFX component can be exploited to cause a stack-based buffer overflow.

11) Insufficient input validation in the RealPlayer browser plugins when handling the "RecordClip()" method can be exploited to download and execute a file by injecting a special character into the arguments of the method.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in version 1.1.4 and prior.

Solution
Update to version 1.1.5.

Provided and/or discovered by
1) Alin Rad Pop, Secunia Research.
2, 3, 6) Carsten Eiram, Secunia Research.
4, 8) Sebastian Apelt via ZDI.
5, 10) Steve Manzuik, Microsoft Vulnerability Research (MSVR).
7) CHkr_D591 via ZDI.
9) An anonymous person via ZDI.
11) Sean de Regge via ZDI.

Additional information about vulnerability #7 provided by Secunia Research.

Changelog
Further details available in Customer Area

Original Advisory
Secunia Research:
http://secunia.com/secunia_research/2010-3/
http://secunia.com/secunia_research/2010-5/
http://secunia.com/secunia_research/2010-8/
http://secunia.com/secunia_research/2010-13/

RealNetworks:
http://service.real.com/realplayer/security/10152010_player/en/
http://service.real.com/realplayer/security/08262010_player/en/
http://realnetworksblog.com/?p=1918

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-167/
http://www.zerodayinitiative.com/advisories/ZDI-10-210/
http://www.zerodayinitiative.com/advisories/ZDI-10-211/
http://www.zerodayinitiative.com/advisories/ZDI-10-212/
http://www.zerodayinitiative.com/advisories/ZDI-10-213/

Microsoft Vulnerability Research:
http://www.microsoft.com/technet/security/advisory/msvr11-003.mspx
http://www.microsoft.com/technet/security/advisory/msvr11-004.mspx

Technical Analysis
Further details available in Customer Area

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available in Customer Area