Buffer Overflows in RealPlayer and HelixPlayer

A vulnerability in RealPlayer and its open source version HelixPlayer which, according to the security service company iDefense, can possibly result in the computer being compromised. In the least dramatic case, it will only crash the application.

The problem is caused by use of the unsafe C function strncpy() in the SmilTimeValue::parseWallClockValue() player function which processes the time specification in SMIL media files. Due to inadequate checking of the buffer size, manipulated time specifications can cause a buffer overflow, which allows code to be written to the stack and executed in the client context.

Interestingly enough, the vulnerability strncpy(buf, pos, len); in the HelixPlayer source code is annotated with an additional comment /* Flawfinder: ignore */ which indicates that the sources have already been analysed with the security vulnerability search tool FlawFinder. In the presence of the ignore comment, however, an error message is not raised for the affected line. So it would seem it has probably been apparent for some time that a potential vulnerability exists there. There are also other ignore entries coupled with unsafe C functions in the HelixPlayer source code.

For an exploit to be successful, the victim needs to open a crafted SMIL file or visit a malicious website. The vulnerability has been confirmed by iDefense for the HelixPlayer and the RealPlayer 10.5 Gold, with previous versions also probably affected. According to iDefense, RealNetworks has already provided an update to eliminate the vulnerabilities, however on the vendor's security pages the last entry is dated March 22, 2006. The error-free versions, however, should be available for download on the download pages.

See also:

• RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability, error report from iDefense

(mba)