Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 168917 - media-video/mplayer DMO buffer overflow (CVE-2007-1246)
Summary: media-video/mplayer DMO buffer overflow (CVE-2007-1246)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
Depends on:
Reported: 2007-03-01 18:10 UTC by Executioner
Modified: 2007-05-30 19:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-03-01 18:10:43 UTC
There's an exploitable buffer overflow in the current version of
MPlayer (v1.0rc1) which can be exploited with a maliciously crafted
video file. It's hidden in the function DMO_VideoDecoder() in the
file loader/dmo/DMO_VideoDecoder.c. The variable format->biSize gets
its value directly from the video file, and thus can have any value
up to LONG_MAX. In line 136 it is used without any further checks as
the length argument to the memcpy() call, which can overflow the
this->m_sVhdr->bmiHeader buffer with data directly from the video file.

117 unsigned int bihs;
119 bihs = (format->biSize < (int) sizeof(BITMAPINFOHEADER)) ?
120 sizeof(BITMAPINFOHEADER) : format->biSize;
122 this->iv.m_bh = malloc(bihs);
123 memcpy(this->iv.m_bh, format, bihs);
125 this->iv.m_State = STOP;
126 //this->iv.m_pFrame = 0;
127 this->iv.m_Mode = DIRECT;
128 this->iv.m_iDecpos = 0;
129 this->iv.m_iPlaypos = -1;
130 this->iv.m_fQuality = 0.0f;
131 this->iv.m_bCapable16b = true;
133 bihs += sizeof(VIDEOINFOHEADER) - sizeof(BITMAPINFOHEADER);
134 this->m_sVhdr = malloc(bihs);
135 memset(this->m_sVhdr, 0, bihs);
136 memcpy(&this->m_sVhdr->bmiHeader, this->iv.m_bh, this->iv.m_bh->biSize);

This got fixed [1] in trunk two weeks ago. 

Reproducible: Didn't try
Comment 1 Steve Dibb (RETIRED) gentoo-dev 2007-03-01 18:49:51 UTC
"This got fixed [1] in trunk two weeks ago."

If anyone wants to find the patch, that'd be great.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-02 08:32:44 UTC
this looks like the patch:
Comment 3 Luca Barbato gentoo-dev 2007-03-02 11:27:47 UTC
I'm thinking about adding a snapshot of ffmpeg and mplayer in the weekend
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-02 13:50:51 UTC
i doubt this whole thing.

line 134 allocates memory based upon the value in bihs. due to line 119 and 120, this value should be ok (actually, a bit larger than format->biSize due to line 134). i see no way how format->biSize can be larger than the allocated memory.

Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-03-13 13:32:07 UTC
According to, this bug is now fixed in the SVN repository (CVE-2007-1246)
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-15 21:58:03 UTC
Luca or video-team any news on this?
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2007-03-16 00:42:14 UTC
(In reply to comment #6)
> Luca or video-team any news on this?

its a work in progress
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-04 07:54:00 UTC
Is it just me or is this a dupe of #170208
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-09 18:49:41 UTC
(In reply to comment #8)
> Is it just me or is this a dupe of #170208

Same origin, but mplayer is still vulnerable. Video team, is your work going well?
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-18 05:51:07 UTC
Media-video any news on this one?
Comment 11 Steve Dibb (RETIRED) gentoo-dev 2007-04-26 15:53:28 UTC
Finally fixed the naming scheme, mplayer-1.0.20070321 is our security fix.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-30 12:44:24 UTC
Thx Beandog.

Arches please test and mark stable. Target keywords are:

mplayer-1.0.20070321.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-04-30 15:25:23 UTC
ia64 + x86 stable
Comment 14 Mike Doty (RETIRED) gentoo-dev 2007-04-30 15:37:51 UTC
  26 Apr 2007; Steve Dibb <> mplayer-1.0.20070321.ebuild:
  amd64 stable
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-30 21:10:17 UTC
sparc stable.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2007-05-01 08:39:50 UTC
ppc64 stable
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2007-05-02 11:58:44 UTC
Stable on Alpha.
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2007-05-02 15:28:39 UTC
Stable for HPPA.
Comment 19 Tobias Scherbaum (RETIRED) gentoo-dev 2007-05-03 18:38:51 UTC
ppc stable
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-05-30 19:44:58 UTC
200705-21 is out, thansk everybody