This post was originally published on the Semmle blog post on August 19, 2019

Today, the VideoLAN team announced a new release of VLC, fixing 11 vulnerabilities reported by Antonio Morales Maldonado from the GitHub security lab’s research team.

MITRE has issued the following CVE IDs for the vulnerabilities: CVE-2019-14437, CVE-2019-14438, CVE-2019-14438, CVE-2019-14498, CVE-2019-14535, CVE-2019-14534, CVE-2019-14533, CVE-2019-14776, CVE-2019-14778, CVE-2019-14779, CVE-2019-14777, CVE-2019-14970.

About VLC

The VLC Media Player (commonly known as just VLC) is a popular media player developed by the VideoLAN project. VLC is available on most platforms (Windows, MacOS, Linux, Android, iOS, Windows Mobile …) and can, by default, read many audio and video format without requiring users to install additional codecs.

Below you can find a summary of the bugs discovered:

It is worth explaining two of them in a little more detail.

The first one is CVE-2019-14438. This is an out-of-bounds (OOB) write (heap overflow) vulnerability that affects the Ogg container format. This includes, amongst others, .ogg, .ogm and .opus files. This vulnerability could be triggered by inserting specially crafted headers which are not correctly counted by the xiph_CountHeaders function. As a result, the total number of bytes that could be written is larger than expected, overflowing previously allocated buffers. In this case, the vulnerability risk is also increased due to the large amount of bytes that can be overwritten, and the possibility that it can also be turned into an OOB read (CVE-2019-14437).

static inline unsigned int xiph_CountHeaders( const void *extra, unsigned int i_extra )
{
    const uint8_t *p_extra = (uint8_t*) extra;
    if ( !i_extra ) return 0;
    if ( xiph_IsOldFormat( extra, i_extra ) )
    {
        /* Check headers count */
        unsigned int overall_len = 6;
        for ( int i=0; i<3; i++ )
        {
            uint16_t i_size = GetWBE( extra );
            p_extra += 2 + i_size;
            if ( i_extra < i_size || overall_len > i_extra - i_size )
                return 0;
            overall_len += i_size;
        }
        return 3;
    }
    else
    {
        return *p_extra + 1;
    }
}

It is also interesting to explain CVE-2019-14533. In this case, we discovered a use-after-free (UAF) affecting WMV and WMA files (ASF container). This UAF is triggered when the video is forwarded, in other words, when the user clicks on the time bar. This bug is due to a not nulled pointer in DemuxEnd, which later, causes a dereferencing of previously freed memory (use-after-free read). This bug could allow an attacker to alter the expected application flow.

static void DemuxEnd( demux_t *p_demux )
{
    demux_sys_t *p_sys = p_demux->p_sys;

    if( p_sys->p_root )
    {
        ASF_FreeObjectRoot( p_demux->s, p_sys->p_root );
        p_sys->p_root = NULL;
	//p_sys->p_fp should also be nulled
    }
    
    [...]
}

Severity and mitigation

The vulnerabilities found affect a number of different media formats, including mkv, avi, wmv and ogg, and most of them can be triggered simply by opening the file from VLC.

The most critical issues fixed are use-after-free and OOB write vulnerabilities. They could each potentially be used by an attacker to execute code on the victim machine through a specially crafted file. Effectively allowing an attacker to take control of the computer.

Three other less criticals bugs, such as div-by-zero, have also been reported, even though they don’t allow code execution. But we have thought it would also be convenient to report these bugs, allowing VLC team to fix them.

All eleven bugs have been fixed by the VideoLAN team in the new release of VLC. We recommend you to upgrade to release 3.0.8.

Disclosure timeline

Coordinated disclosure

GitHub takes coordinated disclosure very seriously. In accordance with our standard practice, the Security Lab Research Team has collaborated with the VideoLAN project maintainers to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit securitylab.github.com/disclosures#policy.

Image Credits

Main image: Copyright (c) 1996-2010 VideoLAN. This logo or a modified version may be used or modified by anyone to refer to the VideoLAN project or any product developed by the VideoLAN team, but does not indicate endorsement by the project.