65215 – mplayer-1.0_pre5-r4: stack smashing attack in function Setup_FS_Segment()

Bug 65215 - mplayer-1.0_pre5-r4: stack smashing attack in function Setup_FS_Segment()

Summary: mplayer-1.0_pre5-r4: stack smashing attack in function Setup_FS_Segment()

Status:	RESOLVED CANTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Media-video project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-09-24 08:36 UTC by Ole Tange
Modified:	2005-02-05 09:56 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ole Tange 2004-09-24 08:36:51 UTC

Playing 
http://www.cyberniklas.de/pongmechanik/videos/pong_web.mov
gives mplayer: stack smashing attack in function Setup_FS_Segment()


Reproducible: Always
Steps to Reproduce:
1. wget http://www.cyberniklas.de/pongmechanik/videos/pong_web.mov
2. mplayer pong_web.mov


Actual Results:  
Playing /tmp/pong_web.mov. 
QuickTime/MOV file format detected. 
-------------- 
MOV track #0: 853 chunks, 0 samples 
Audio bits: 16  chans: 1  rate: 22050 
Audio extra header: len=64  fcc=0x77617665 
MOV: Found unknown audio atom Fourcc: QDM2 
-------------- 
MOV track #1: 1706 chunks, 4260 samples 
MOV: Found unknown movie atom SMI  (21)! 
Image size: 240 x 180 (32 bpp) 
Display size: 240 x 180 
Fourcc: SVQ3  Codec: 'Sorenson Video 3' 
-------------- 
MOV track #2: 1704 chunks, 4260 samples 
Generic track - not completely understood! (id: 2) 
-------------- 
MOV track #3: 144 chunks, 144 samples 
Generic track - not completely understood! (id: 3) 
-------------- 
MOV: longest streams: A: #0 (853 samples)  V: #1 (4260 samples) 
========================================================================== 
Opening audio decoder: [qtaudio] QuickTime Audio Decoder 
mplayer: stack smashing attack in function Setup_FS_Segment() 
Aborted 
 


Portage 2.0.50-r11 (default-x86-1.4, gcc-3.3.4, glibc-2.3.3.20040420-r1, 
2.6.8.1) 
================================================================= 
System uname: 2.6.8.1 i686 Intel(R) Pentium(R) 4 CPU 2.00GHz 
Gentoo Base System version 1.4.16 
Autoconf: sys-devel/autoconf-2.59-r4 
Automake: sys-devel/automake-1.8.5-r1 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CFLAGS="-O2 -mcpu=i686 -pipe" 
CHOST="i686-pc-linux-gnu" 
COMPILER="" 
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-O2 -mcpu=i686 -pipe" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoaddcvs ccache sandbox" 
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo/ 
http://csociety-ftp.ecn.purdue.edu/pub/gentoo/ rsync://gentoo.seren.com/gentoo 
ftp://gentoo.netnitco.net/pub/mirrors/gentoo/source/ 
ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo" 
MAKEOPTS="-j1" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
PORTDIR_OVERLAY="" 
SYNC="rsync://rsync.gentoo.org/gentoo-portage" 
USE="X X509 aac aalib alsa apm arts artswrappersuid avi berkdb bitmap-fonts 
bonobo bzlib cdparanoia cdr chroot clamav cryptcups curl debug directfb drac 
dvb dvd dvdr dvdread edl encode erandom esd f77 faac faad ffmpeg fftw flac 
flash foomaticdb freetype gcj gd gd-external gdbm ggi gif gmp gnome gphoto2 gpm 
gs gtk gtk2 gtkhtml guile hardened hardenedphp ieee1394 imagemagick imap imlib 
innodb ipv6 irda irmc jabber java jbig jpeg kde ldap libg++ libwww lirc live 
lufsusermount lzo lzw lzw-tiffmad makecheck matroska mcal mdb memlimit mikmod 
mldonkeypango mmx mmx2 mng mnogosearch monkey mono motif mozilla mozp3p mozsvg 
mozxmlterm mpeg mpeg4 mplayer msdav msn mssql mysql mythtv nagios-dns 
nagios-ntp nagios-ping nagios-ssh nas ncurses network neural nls oav oggvorbis 
ooo-kde opengl oss pam pcap pcre pda pdflib perl pg-hier pg-vacuumdelay pic pie 
plotutils png postgres pwdb python qt quicktime radeon readline rtc ruby sasl 
scanner sdl skey slang snmp sox speex spell sse sse2 ssl svg svga tcltk tcpd 
tetex theora tidy tiff transcode truetype type1 usb v4l v4l2 vhosts virus-scan 
vnc wifi wmf x86 xfs xml2 xmms xprint xv xvid zlib"

Comment 1 Chris White (RETIRED) gentoo-dev

2004-09-24 18:25:35 UTC

Can you confirm this with MPlayer-1.0_pre5-r2?  -r3+ use custom CFLAGS (they
are masked and experimental), so I'd like to make sure that's what were dealing
with.  Just a quick look over of the code, and it's asm, something to which
I don't do well with (yes, I admit to that :), and may contact someone that
does know more.

Comment 2 Ole Tange 2004-09-24 23:51:13 UTC

I had a gut feeling that this was caused by USE=hardened. So I tried removing hardened when compiling mplayer. This gave the same result.

However, if I remove hardened and recompile first gcc then mplayer, then it works - even with 1.0_pre5-r4. I thereby feel that it is proven that it is the hardened version of gcc that conflicts with mplayer.

For my expierence with compiling older versions of mplayer, see bug 64450.

Comment 3 Chris Bainbridge (RETIRED) gentoo-dev

2005-02-01 01:22:00 UTC

I get the same thing with -fstack-protector in CFLAGS on mplayer-1.0_pre5-r5.

Comment 4 Chris White (RETIRED) gentoo-dev

2005-02-05 09:56:02 UTC

This deals with loading dll's and windows style files.  That said.. not much I can do about it, as I'd have to ask apple to fix their stuff in preventing stack smashing on linux.  Guess how that would go :P.