Bug 561388 – CVE-2009-4243 HelixPlayer / RealPlayer: HTTP chunk encoding overflow

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 561388 - (CVE-2009-4243) CVE-2009-4243 HelixPlayer / RealPlayer: HTTP chunk encoding overflow

Summary:	CVE-2009-4243 HelixPlayer / RealPlayer: HTTP chunk encoding overflow

Status:	CLOSED NOTABUG

Aliases:	CVE-2009-4243

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	urgent Severity urgent
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:	http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:	impact=critical,source=internet,repor...
Keywords:	Security

Depends On:
Blocks:	CVE-2009-0375/CVE-2009-0376/CVE-2009-4241/CVE-2009-4244/CVE-2009-4246
	Show dependency tree / graph

Reported:	2010-02-03 10:38 EST by Tomas Hoger
Modified:	2010-02-04 09:18 EST (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2010-02-03 10:57:19 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tomas Hoger 2010-02-03 10:38:21 EST

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-4243 to the following vulnerability:

RealNetworks RealPlayer 10, RealPlayer 10.5 6.0.12.1040 through 6.0.12.1741,
RealPlayer 11 11.0.0 through 11.0.4, RealPlayer Enterprise, Mac RealPlayer 10
and 10.1, Linux RealPlayer 10, and Helix Player 10.x allow remote attackers to
have an unspecified impact via a crafted media file that uses HTTP chunked
transfer coding, related to an "overflow." 

References:
http://service.real.com/realplayer/security/01192010_player/en/
http://xforce.iss.net/xforce/xfdb/55796

Comment 1 Tomas Hoger 2010-02-03 10:57:19 EST

Upstream patch:
http://lists.helixcommunity.org/pipermail/filesystem-cvs/2008-January/000676.html
https://helixcommunity.org/viewcvs/filesystem/http/httpfsys.cpp?view=log#rev1.113

According to upstream, this issue does affect Helix Player 1.x.

Patch changes the code to use strtol instead of the strtoul and checks whether the value returned is not negative.  When using strtoul, pChunkedEncoding->size can be set to ULONG_MAX and can lead to integer overflow / insufficient buffer allocation in:
  pChunkedEncoding->buf = new char[pChunkedEncoding->size + 1];

1.0.x versions of Helix Player including the latest one - 1.0.9 - available from the upstream download page does, however, still use strtol and uses signed long for the size member of the HTTPChunkedEncoding.  Change to unsigned long / strtoul was only introduced after 1.0.9.

With signed type, size can be LONG_MAX at max, which does not lead to an integer overflow when 1 is added to it.  Negative size is also caught and results in error return code from CHTTPFileObject::DecodeChunkedEncoding.  The code in 1.0.x looks as:

  pChunkedEncoding->size = strtol(pChunkedEncoding->buf, &errstr, 16);
  if (pChunkedEncoding->size > 0) {
    /* allocate / memset memory */
  } else if (pChunkedEncoding->size == 0) {
    /* end of chunk header, change state to "expecting chunk body" */
  } else {
    rc = HXR_FAILED;
    break;
  }

Note You need to log in before you can comment on or make changes to this bug.