ASA-2019-00355 – VLC: Buffer overflow in libavi_plugin memmove() call


Allele Security Alert

ASA-2019-00355

Identifier(s)

ASA-2019-00355, CVE-2019-5439, VideoLAN-SA-1901

Title

Buffer overflow in libavi_plugin memmove() call

Vendor(s)

VideoLAN Project

Product(s)

VLC

Affected version(s)

VLC versions before 3.0.7

Fixed version(s)

VLC version 3.0.7

Proof of concept

Unknown

Description

When parsing an invalid AVI file, a buffer overflow might occur leading to an out-of-bounds read.

Technical details

The ReadFrame function in the avi.c file uses a variable i_width_bytes, which is obtained directly from the file. It is a signed integer. It does not do a strict check before the memory operation(memmove, memcpy), which may cause a buffer overflow.

Credits

zhangyang (retoor)

Reference(s)

Buffer overflow in libavi_plugin memmove() call
https://hackerone.com/reports/484398

[vlc-commits] avi: Fix potential integer overflow
https://mailman.videolan.org/pipermail/vlc-commits/2019-May/055915.html

avi: Fix potential integer overflow
https://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=b96e1a6380368240a156d84617c4379df14b0ec1

VLC 3.0.7 and security
http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

NEWS
https://www.videolan.org/developers/vlc-branch/NEWS

CVE-2019-5439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5439

CVE-2019-5439
https://nvd.nist.gov/vuln/detail/CVE-2019-5439

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 25, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.