Since nobody have reported it yet. Here it is: A malicious host can craft a harmful HTTP header ("Location:"), and trick MPlayer into executing arbitrary code upon parsing that header. MPlayer versions affected: MPlayer 0.90pre series MPlayer 0.90rc series MPlayer 0.90 MPlayer 0.91 MPlayer 1.0pre1 MPlayer 1.0pre2 MPlayer 1.0pre3 Reproducible: Always Steps to Reproduce: 1. 2. 3. Patch from mplayerhq.hu: diff -u -r1.17 -r1.18 --- http.c 13 Nov 2002 09:02:55 -0000 1.17 +++ http.c 30 Mar 2004 10:58:41 -0000 1.18 @@ -175,7 +175,7 @@ if( http_hdr->method==NULL ) http_set_method( http_hdr, "GET"); if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/"); else { - uri = (char*)malloc(strlen(http_hdr->uri)*2); + uri = (char*)malloc((strlen(http_hdr->uri)*3) + 1); if( uri==NULL ) { mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n"); return NULL;
*** This bug has been marked as a duplicate of 46246 ***