RealNetworks RealPlayer RV10 Sample Height Parsing Remote Code Execution Vulnerability

ID ZDI-11-335
Type zdi
Reporter Damian Put
Modified 2011-11-09T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks Real Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists when the application attempts to parse a height out of the RV10 codec object. The application will incorrectly treat the value as a signed integer and will its value as the count within a loop that populates rows of sample data within a buffer. This can allow for memory corruption which can lead to code execution under the context of the application.