Multiple vulnerabilities have been reported in RealPlayer, which can be exploited by malicious people to compromise a user's system.

1) Missing input validation in the RealVideo rendering can be exploited to cause a heap-based buffer overflow as a value read from file is used to calculate a size argument used to copy memory into a fixed-size buffer.

2) Missing input validation in the RealVideo rendering can be exploited to cause a heap-based buffer overflow.

3) Missing input validation in the AAC codec can be exploited to cause a heap-based buffer overflow via a specially crafted RealMedia file.

4) Missing validation of the "block_size" value when parsing QCELP streams can be exploited to cause a heap-based buffer overflow as the value is not checked to be of a minimum size before usign it to allocate a buffer and then copying data based on a fixed size value.

5) An error when handling channel types within AAC files can be exploited to cause a buffer overflow.

6) An array-indexing error when parsing sample data within RV30 encoded files can be exploited to write data outside the bounds of an allocated buffer.

7) An error in the ATRC codec when parsing bit sizes from samples can be exploited to corrupt memory.

8) An error when processing certain sample sizes in audio specific data during decoding of RealAudio files can be exploited to corrupt memory.

9) A signedness error when parsing the height of a RV10 codec object can be exploited to corrupt memory when populating rows of sample data.

10) An error when parsing sample data within RV20 encoded files due to the use of an uninitialised value as an index can be exploited to corrupt memory.

11) A use-after-free error when handling certain errors during parsing of RTSP SETUP requests can be exploited to dereference already freed memory via a specially crafted request.

12) A use-after-free error when playing a video file containing a malformed codec name can be exploited to dereference already freed memory.

13) An error when parsing sample data within RV30 encoded files can be exploited to corrupt memory as a uninitialised value is used as an index when writing data.

14) A boundary error when decoding the audio-sample data from a media description header within the Cook codec can be exploited to corrupt memory.

15) An error when parsing MLTI chunks in IVR files can be exploited to cause a heap-based buffer overflow as one value is used to allocate a buffer whereas a different value is used to copy data.

16) An integer underflow error when handling the width within MPEG files can be exploited to corrupt memory.

17) A boundary error within the mp4arender.dll module when handling the channel count in the esds atom can be exploited to cause a heap-based buffer overflow.

18) An error in raac.dll when handling MP4 video dimensions can be exploited to cause a heap-based buffer overflow via a specially crafted sample size in the 'stsz' atom.

19) An integer overflow error in mp4fformat.dll when e.g. handling 'rdrf' chunks can be exploited to cause a heap-based buffer overflow via a specially crafted MP4 file.

20) An error exists when decoding an audio sample encoded with the ATRAC codec.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in the versions 14.0.7 and prior.

Solution
Upgrade to version 15.0.0.

Provided and/or discovered by
1) Omair via iDefense
2, 3, 10) Andrzej Dyjak via iDefense Labs
4) Damian Put via ZDI
5, 15-17) Luigi Auriemma via ZDi
6, 14) Damian Put via ZDI
7-10, 12, 13, 15) Damian Put via ZDI
10, 20) Andrzej Dyjak via ZDI
11, 18) Luigi Auriemma via ZDI
19) Alexander Gavrun via ZDI and Luigi Auriemma via ZDI

Changelog
Further details available to Secunia VIM customers

Original Advisory
RealPlayer:
http://service.real.com/realplayer/security/11182011_player/en/
http://service.real.com/realplayer/security/02062012_player/en/
http://service.real.com/realplayer/security/09072012_player/en/

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-331/
http://www.zerodayinitiative.com/advisories/ZDI-11-332/
http://www.zerodayinitiative.com/advisories/ZDI-11-333/
http://www.zerodayinitiative.com/advisories/ZDI-11-334/
http://www.zerodayinitiative.com/advisories/ZDI-11-335/
http://www.zerodayinitiative.com/advisories/ZDI-11-336/
http://www.zerodayinitiative.com/advisories/ZDI-11-337/
http://www.zerodayinitiative.com/advisories/ZDI-11-338/
http://www.zerodayinitiative.com/advisories/ZDI-11-343/
http://www.zerodayinitiative.com/advisories/ZDI-11-344/
http://www.zerodayinitiative.com/advisories/ZDI-12-046/
http://www.zerodayinitiative.com/advisories/ZDI-12-050/
http://www.zerodayinitiative.com/advisories/ZDI-12-051/
http://www.zerodayinitiative.com/advisories/ZDI-12-053/
http://www.zerodayinitiative.com/advisories/ZDI-12-085/
http://www.zerodayinitiative.com/advisories/ZDI-12-087/
http://www.zerodayinitiative.com/advisories/ZDI-12-092/

ZDI-12-195:
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0212.html

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=955
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=956
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?loc=en_US&id=957

Deep Links
Links available to Secunia VIM customers