VLC Player TY Buffer Overflow

December 5, 2008

The VLC Media Player is an open source, multiplatform multimedia player. The player is capable of processing multiple audio and video formats such as MPEG, MP3, and Wave as well as streaming media. Among the supported file formats is the TiVo TY file format. The TiVo TY file format specification is proprietary and as such, not available publicly. This file format is known to consist of a generic header and media specific chunks which contain data. The header of TY files can be represented as follows:

 Offset Size Value/Description ------ --   ----------- 0x0000 4    0xF5467ABD 0x0004 4    0x00000002 0x0008 4    0x00020000 0x000C 4    ? 0x0010 4    ? 0x0014 4    bitmask size [...]

A stack buffer overflow vulnerability has been found in the VLC Media Player. The vulnerability occurs when processing TY media files. The vulnerable code does not properly validate the value at offset 0x0014 in the file header. This value is read from the file, incremented by 8 and used as a counter in a memory copy operation without any bounds checks. The destination to which file data is copied is a 32 byte stack buffer. Thus, a value larger than 32 will cause the copy operation to overrun the stack buffer. This will lead to critical data being overwritten and may consequently change the flow of execution.

This vulnerability, when exploited by enticing a user to open a malicious TV file, may result in process flow diversion. Exploits targeting this vulnerability are publicly available. SonicWALL has developed an IPS signature which will detect and block generic attack attempts. The following signature addresses this issue:

  • 1265 - VideoLAN VLC Media Player TY Processing BO Attempt