Apple QuickTime .mov "JVTCompEncodeFrame ()" Heap Overflow

Release Date:
April 24th, 2007

Severity:
High

Vendor:
Apple

Versions Affected:
QuickTime 7.1.5

Overview:
A heap overflow vulnerability exists within Apple Quicktime 7.1.5 and all prior versions when processing a malformed .mov file.

Technical Details:
When processing a malformed .mov file, the JVTCompEncodeFrame () function incorrectly parses the malformed data and causes the application to segmentation fault. This may allow for an attacker to cause the application to stop responding, and or to execute arbitrary code within the context of the logged in user.

Debug info:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00041656
0x90003646 in szone_malloc ()
(gdb) bt
#0 0x90003646 in szone_malloc ()
#1 0x90003527 in malloc_zone_malloc ()
#2 0x90325591 in mem_heap_malloc ()
#3 0x90325511 in shape_alloc_bounds () #4 0x9170d8ec in RectRgn ()
#5 0x91726437 in SetRectRgn ()
#6 0x9436d3b4 in ICMDeviceLoop ()
#7 0x9437728a in DecompressSequenceFrameWhen ()
#8 0x94376c3a in ICMDecompressionSessionDecodeFrame ()
#9 0x98b0c58c in v2m_rDecompressSequenceFrameWhen ()
#10 0x98b1333b in v2m_decompressVideoFrame ()
#11 0x98b13cd7 in QueueAFrame ()
#12 0x98b14d49 in v2m_doWhatTheMentorTellsUs ()
#13 0x98b166ac in Video2MoviesTask ()
#14 0x90cceccf in CallComponentFunctionCommon ()
#15 0x98b056c0 in Video2ComponentDispatch ()
#16 0x90cce7f8 in CallComponentDispatch ()
#17 0x94369f27 in MediaMoviesTask ()
#18 0x94368c04 in TaskMovie_priv ()
#19 0x98bb9b42 in doIdleMovie ()
#20 0x98bc8691 in internalDoAction ()
#21 0x98bb9a1a in _MCIdle ()
#22 0x90cceb13 in CallComponentFunctionCommon ()
#23 0x98bb4f19 in _MCComponentDispatch ()
#24 0x90cce7f8 in CallComponentDispatch ()
#25 0x943679fc in MCIdle ()
#26 0x9436664d in QTOMovieObject::SendCommand ()
#27 0x9433b1e2 in DispatchQTMsg ()
#28 0x9433af0f in QTObjectTokenPriv::SendMessageToObject ()
#29 0x9433a338 in QTObjectTokenPriv::DispatchMessage ()
#30 0x9436646a in QTSendToObject ()
#31 0x95a21142 in QTObjectTokenExecuteCommand ()
#32 0x95a32f85 in -[QTMovie idle] ()
#33 0x9082a6eb in CFSetApplyFunction ()
#34 0x95a2feab in +[QTMovie idleAllMovies:] ()
#35 0x9282c2de in __NSFireTimer ()
#36 0x9082c7e2 in CFRunLoopRunSpecific ()
#37 0x9082bace in CFRunLoopRunInMode ()
#38 0x92dd78d8 in RunCurrentEventLoopInMode ()
#39 0x92dd6fe2 in ReceiveNextEventCommon ()
#40 0x92dd6e39 in BlockUntilNextEventMatchingListInMode ()
#41 0x9327d465 in _DPSNextEvent ()
#42 0x9327d056 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#43 0x93276ddb in -[NSApplication run] ()
#44 0x9326ad2f in NSApplicationMain ()
#45 0x00040632 in _start ()
#46 0x0004054d in start ()
(gdb)

Vendor Status:
Reported on 3/28/2006 (Over 1 year, still no patch)

Solution:
MPlayer

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x45.mov
http://security-protocols.com/sp-x45-advisory.php
http://mplayerhq.hu

Security-Protocols.com :: 1999-2008