mplayer -- multiple vulnerabilities

2008-02-05T00:00:00
ID DE4D4110-EBCE-11DC-AE14-0016179B2DD5
Type freebsd
Reporter FreeBSD
Modified 2008-02-05T00:00:00

Description

The Mplayer team reports:

A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to escape URL strings. The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.