Apple QuickTime FlashPix encoded file NumberOfTiles Integer Overflow Vulnerability

Release date: 2010-03-29
Updated on: 2010-09-03

Affected Systems:
Apple QuickTime Player <7.6.6
Unaffected system:
Apple QuickTime Player 7.6.6
Description:
--------------------------------------------------------------------------------
Bugtraq id: 39155
Cve id: CVE-2010-0519

Apple QuickTime is a popular multimedia player.

The quick time integer overflow vulnerability exists when parsing the malformed SubImage Header Stream provided by the FlashPix image. The application obtains the NumberOfTiles field from the data structure, multiplied it by 16, and then used in memory allocation. If the result is greater than 32 bits, an integer round-robin occurs, resulting in an insufficient buffer allocated. When data is copied to the buffer, overflow is triggered.

<* Source: ZDI (http://www.zerodayinitiative.com /)

Link: http://secunia.com/advisories/39133/
Http://marc.info /? L = bugtraq & m = 127048814126282 & w = 2
Http://support.apple.com/kb/HT4104
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Http://www.exploit-db.com/download/14869

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Apple
-----
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Http://www.apple.com/quicktime/download/