Multiple critical vulnerabilities in MPlayer

Three patches have been published for the open source MPlayer media player which close several security holes. The flaws allow attackers to provoke buffer overflows in components of the player.

A buffer overflow in the url_escape_string function in the stream/url.c file can be provoked when processing certain URLs. An array indexing error can occur in the mov_build_index function in the libmpdemux/demux_mov.c file when parsing crafted MOV files. Comments in FLAC files can provoke a buffer overflow in get_flac_metadata (libmpdemux/demux_audio.c). A buffer overflow can be provoked in the code that evaluates responses from CDDB servers.

Versions 1.0cr2 and earlier are affected. If your source is from the Subversion repository, an update (svn up) is sufficient, otherwise the patches should be installed individually.

See also:

• Security advisory and patches, on MPlayerhq.hu
• MPlayer arbitrary pointer dereference, security advisory from CORE Security
• MPlayer 1.0rc2 buffer overflow vulnerability, security advisory from CORE Security

(mba)