Die siberas GmbH ein auf Sicherheitsanalysen und Penetrationstests spezialisiertes Beratungsunternehmen, welches Sie herstellerunabhängig und kompetent im Bereich IT-Sicherheit berät.


RealNetworks RealPlayer FLV Parsing Multiple Integer Overflow Vulnerabilities

Reference ID: SSA-1008
Publication date: 25.08.2010
Severity: high
Discovered by: Sebastian Apelt

Affected product / versions: RealNetworks RealPlayer <=

This advisory comprises two Heap Overflow vulnerabilities in RealPlayer when parsing maliciously crafted .flv files. While parsing user-controlled input data of types HX_FLV_META_AMF_TYPE_MIXEDARRAY and HX_FLV_META_AMF_TYPE_ARRAY the function ParseKnownType trusts a user-controlled DWORD value as size for the allocation of a structure array. Since the structure is of size 0x23, any value

= 0x7507508 will cause the allocation of a small-sized buffer (0x23 * 0x7507508 == 0x18 an 32bit systems) and leads to a Heap Overflow right afterwards.

Patch on Realnetworks homepage