Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: EEYE: RealPlayer pnen3260.dll Heap Overflow
From: Chenghuai Lu <luchenghuai () yahoo com>
Date: Tue, 5 Oct 2004 07:54:52 -0700 (PDT)
Hi Marc and all,

I have a question here.


The code in pnen3260.dll among other things is
responsible for handling
.rm files. The vulnerability is triggered by setting
the length field of
the VIDORV30 data chunk to 0xFFFFFFF8 - 0xFFFFFFFF
this will cause an
integer overflow which leads to a small block of
memory being allocated,
we call this movie from a SMIL file to handle the
initial exception,
eventually overflowing the buffer.


I check the Real Media file format at:
http://home.pcisys.net/~melanson/codecs/rmff.htm

According to what I understand, a data chunk has a
4-byte object_id as "DATA". This makes me a little
confused. What does a VIDORV30 data chunk mean? How do
I differentiate a general data chunk from a VIDORV30
data chunk?

Thank you in advance for any advice.




                
__________________________________
Do you Yahoo!?
Y! Messenger - Communicate in real time. Download now. 
http://messenger.yahoo.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]