Information Assurance

Chris Piro


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Remote heap overflow in http input module of MPlayer

back to bugtraq analyses page

MPlayer is a popular media player application available for many operating systems. It is possible to invoke MPlayer from the command line or from a web browser with a URL. Typically, this looks like:

$ mplayer http://www.mysite.com/some_harmless_looking_movie.mpeg

MPlayer allocates a buffer from the heap, escapes the string given on the command line, and stores the new string in the buffer. However, the buffer allocated may be too small to hold the new string; it can be overflowed.

from libmpdemux/http.c in http_build_request:

178:    if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
179:    else {
180:      uri = (char*)malloc(strlen(http_hdr->uri)*2);
181:      if( uri==NULL ) {
182:         mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
183:         return NULL;
184:     }
185:     url_escape_string( uri, http_hdr->uri );

The new escaped string produced on line 185 may be up to three times longer than the original string (e.g. a space ' ' gets escaped into '%22'). However, line 180 only allocates twice as much heap as the original string. If this buffer gets overflowed, any heap-allocated memory after the overflowed buffer can be corrupted. This includes buffers the program may have allocated explicitly or space allocated by library functions like malloc; a thorough explaination is given in w00w00 on Heap Overflows.

Malicious web sites can redirect a user from a harmless looking URL to one with many un-escaped characters using the Location: HTTP header. This allows a malicious web site to crash MPlayer or worse. However, since anything placed in the malicious URL will be escaped, inserting executable code may be difficult or impossible. Also, since the exploitable code is near the beginning of the program, it is likely that this buffer is longer than any previously allocated buffer, so the only part of the heap that will be overflowed is the unallocated portion.

The command

$ mplayer http://`perl -e 'print "\""x1024;'`

should make MPlayer die with a segfault if it is vulnerable.

To work around this problem users can save files and open them locally rather than using MPlayer to download or stream them. The HTTP request code in MPlayer will not be called if the file is played from a local disk.

The programmers could have avoided this problem by allocating a buffer large enough to store any encoded string. It should be at least 3 times the size of the unescaped string. Users may upgrade MPlayer; a fix was available the day of the Bugtraq announcement.