Apple QuickTime FlashPix Buffer Overflow
The QuickTime multimedia player supports a wide range of media formats. It is capable of parsing and displaying images as well as audio and video files. One of the image file formats supported by QuickTime is FlashPix.
The FlashPix format stores image data in multiple resolutions which makes for a larger file size but speeds up serving different resolutions of the image on demand. This comes particularly in handy when the image is requested by a web browser. Serving lower resolution of an image when needed decreases download time.
Space within a FlashPix file is divided into sectors of a default size of 512 bytes. There are numerous types of sectors all of which serve its own purpose such as Directory, DIF, and Storage types. The header of this FlashPIx file is also a separate type of sector which is always 512 bytes in size.
The structure of the FlashPix header is shown:
Offset Size Description ------ ----- ------------------------------------------------------------ 0x0000 8 0xd0cf11e0a1b11ae1 OR 0x0e11fc0dd0cf11e0 0x0008 16 class ID 0x0018 2 minor version 0x001a 2 major version 0x001c 2 byte order 0x001e 2 size of sectors in ^2 0x0020 2 size of mini-sectors in ^2 0x0022 2 reserved 0x0024 4 reserved 0x0028 4 reserved 0x002c 4 number of SECTs in the FAT chain 0x0030 4 first SECT in the FAT Directory chain
A buffer overflow vulnerability exists in the Apple QuickTime media player. The vulnerability is due to an integer overflow during the processing of malformed FlashPix files. The vulnerable code in QuickTimeImage.qtx does not properly validate the result of a multiplication operation involving two fields taken directly from the header of the FlashPix file. The product of these field values is then used without validation to allocate a heap memory buffer. In cases where the multiplication operation results in zero or a very small value, the buffer allocated is too small to hold the data copied into it during subsequent processing.
The data copied into the said buffer is sourced from the image file which is entirely under the attacker's control. Exploitation of this flaw can result in injection of malicious code into the QuickTime application process and its eventual execution. Attackers can exploit this vulnerability by persuading a target user to open a malicious FlashPix image file using the vulnerable products.
SonicWALL has released an IPS signature that detects and blocks a specific attack attempt targeting this vulnerability. The following signature addresses this issue:
- 4418 - Apple QuickTime FlashPix File BO Attempt
This vulnerability has been assigned CVE-2009-2798 by Mitre.