Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   xine Vendors:
xine-lib Integer Overflow in Processing QuickTime Media Files Lets Remote Execute Arbitrary Code
SecurityTracker Alert ID:  1021989
SecurityTracker URL:
CVE Reference:   CVE-2009-1274   (Links to External Site)
Updated:  Apr 10 2009
Original Entry Date:  Apr 7 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to
Description:   A vulnerability was reported in xine-lib. A remote user can cause arbitrary code to be executed on the target system.

A remote user can create a QuickTime movie file with specially crafted STTS atoms that, when loaded by the target application using xine-lib, will trigger an integer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target application.

The vulnerability resides in '/src/demuxers/demux_qt.c'.

The vendor was notified on March 3, 2009.

Tobias Klein reported this vulnerability.

The original advisory is available at:

Impact:   A remote user can create a file that, when loaded by the target application, will execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [TKADV2009-005] xine-lib Quicktime STTS Atom Integer Overflow

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

Hash: SHA1

Advisory:               xine-lib Quicktime STTS Atom Integer Overflow
Advisory ID:            TKADV2009-005
Revision:               1.0              
Release Date:           2009/04/04 
Last Modified:          2009/04/04
Date Reported:          2009/03/05
Author:                 Tobias Klein (tk at
Affected Software:      xine-lib <= version
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:   
Vendor Status:          Vendor has released an updated version
Patch development time: 30 days

Vulnerability Details: 

Xine-lib contains an integer overflow vulnerability while parsing malformed
STTS atoms of Quicktime movie files. The vulnerability may be exploited by 
a (remote) attacker to execute arbitrary code in the context of an 
application using the xine library.

Technical Details:

Source code file: xine-lib-

 840 static qt_error parse_trak_atom (qt_trak *trak,
 841				 unsigned char *trak_atom) {
1535    } else if (current_atom == STTS_ATOM) {
1537      /* there should only be one of these atoms */
1538      if (trak->time_to_sample_table) {
1539        last_error = QT_HEADER_TROUBLE;
1540        goto free_trak;
1541      }
1543 [1]  trak->time_to_sample_count = _X_BE_32(&trak_atom[i + 8]);
1545      debug_atom_load("    qt stts atom (time-to-sample atom): %d 
1546        trak->time_to_sample_count);
1548 [2]  trak->time_to_sample_table = (time_to_sample_table_t *)calloc(
1549        trak->time_to_sample_count+1, sizeof(time_to_sample_table_t));
1550      if (!trak->time_to_sample_table) {
1551        last_error = QT_NO_MEMORY;
1552        goto free_trak;
1553      }
1555      /* load the time to sample table */
1556 [3]  for (j = 0; j < trak->time_to_sample_count; j++) {
1557 [4]    trak->time_to_sample_table[j].count =
1558          _X_BE_32(&trak_atom[i + 12 + j * 8 + 0]);
1559 [5]    trak->time_to_sample_table[j].duration =
1560          _X_BE_32(&trak_atom[i + 12 + j * 8 + 4]);
1561        debug_atom_load("      %d: count = %d, duration = %d\n",
1562          j, trak->time_to_sample_table[j].count,
1563          trak->time_to_sample_table[j].duration);
1564      }
1565      trak->time_to_sample_table[j].count = 0; /* terminate with zero*/
1566    }
1567  }

[1] The unsigned int variable "trak->time_to_sample_count" is filled with 
    user supplied data from the media file.
[2] In the lines 1548 and 1549 an integer overflow happens as the first 
    argument to calloc() is calculated with the addition "trak-
    >time_to_sample_count+1". A user supplied "trak->time_to_sample_count" 
    of UINT_MAX (0xffffffff) will cause an integer overflow within the 
    first parameter of calloc() and therefore only allocate a 0 byte 
    buffer. Please notice that calloc(0, sizeof(time_to_sample_table_t)) 
    will not return a NULL pointer but a pointer into the legal heap on at 
    least platforms like Windows and Linux.
[3] The value of "trak->time_to_sample_count" is used as a counter in this 
    for() loop. 
[4] User controlled data from the quicktime movie file gets copied into the
    previously allocated heap buffer (see [2]). As "j" is used as an array 
    index and the for() loop is executed until "j < trak-
    >time_to_sample_count" it is possible to overflow the heap buffer with 
    user controlled data from the quicktime movie file.
[5] Same as [4]


  Upgrade to xine-lib >=


  2009/03/05 - xine-lib maintainers notified (
  2009/04/03 - Public disclosure of vulnerability details by xine-lib 
  2009/04/04 - Release date of this security advisory


  Vulnerability found and advisory written by Tobias Klein.




  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

PGP Signature Key: 

Copyright 2009 Tobias Klein. All rights reserved.

Version: GnuPG




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC