RealNetworks RealPlayer RV10 Sample Height Parsing Remote Code Execution Vulnerability

2011-11-28T00:00:00
ID ZDI-11-335
Type zdi
Reporter Damian Put
Modified 2011-11-09T00:00:00

Description

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks Real Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists when the application attempts to parse a height out of the RV10 codec object. The application will incorrectly treat the value as a signed integer and will its value as the count within a loop that populates rows of sample data within a buffer. This can allow for memory corruption which can lead to code execution under the context of the application.