Alleged critical holes in Xvid

According to reports from several security services, the Xvid 1.1.2 Video Codec Library has a security hole which attackers could use to gain control over a PC. For a successful attack, a victim only needs to open a prepared Xvid-AVI file with an application which makes calls to the library. Both Windows and Linux applications are affected.

The errors are located in the file mbcoding.c in the get_intra_block, get_inter_block_h263 and get_inter_block_mpeg functions. Array indexing errors can lead to an overrun which throws parts of the memory into confusion. According to Xvid Project Manager Michael Militzersei, it is difficult to understand how code could be injected and executed by this means. However, heise Security editors have only recently informed the Xvid team about the problem and the final analysis is yet to come. One thing is certain, though, the problem is not restricted to AVI files alone but also affects all container formats such as MP4, Ogg and Matroska.

There is no update yet but one is in progress, according to Militzer. The workaround is to remove the compiler directives #ifdef _DEBUG and #endif around the lines

if(coeff>=64)    {
DPRINTF(XVID_DEBUG_ERROR,"error: overflow in coefficient 
index\n");
return;
}

in get_intra_block and

if(p>=64)    {
DPRINTF(XVID_DEBUG_ERROR,"error: overflow in coefficient 
index\n");
return;
}

in get_inter_block_h263 and get_inter_block_mpeg. From the entry, it is possible to imagine that a potential overflow was foreseen there but protection was excluded in the release version for performance reasons.

See also:

• Xvid library get_intra_block code execution, error report from ISS
• Xvid Avi File Parsing Array Indexing Vulnerability, error report from Secunia

(mba)