AFI Security Research has discovered two vulnerabilities in mplayer, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system.
Integer overflow errors exist in the "new_demux_packet()" function in "libmpdemux/demuxer.h" and the "demux_asf_read_packet()" function in "libmpdemux/demux_asf.c" when allocating memory to copy data from an ".asf" file. This can be exploited to cause heap-based buffer overflows via a specially crafted ".asf" file with an overly large value in the packet length field.
The vulnerabilities have been confirmed in version 1.0pre7try2. Other versions may also be affected.
Do not open untrusted ".asf" files.
Waiting for upstream patch...
Please avoid saying ".asf", it sounds like you mean the extension, but what matters here is that it is ASF file format - nobody cares about the extension.
And maybe this: http://www1.mplayerhq.hu/cgi-bin/cvsweb.cgi/main/libmpdemux/demuxer.h.diff?r1=1.87&r2=1.88
already fixes it.
Should be bundled with bug 115760
This would be the current version of that patch:
Just to make clear: I did _not_ check demux_asf.c for (further) problems.
Stable handling on bug 115760
Common GLSA with bug 115760
(Spam administratively removed, by email@example.com, at Tue Jan 15 00:37:28 UTC 2008)