DivX Player trips up when processing subtitles
The popular DivX video codec is packaged with a player. Unfortunately, the current version of the DivX Player crashes when handling crafted subtitle files, allowing attackers to inject arbitrary program code.
The flaw, reported by securfrog, can be exploited via manipulated
.srt subtitle files. When an entry to be displayed includes a string more than 4096 characters long, a buffer overflow occurs because the length is not checked properly, causing the player to crash. securfrog says that the instruction pointer can be manipulated during the crash, which allows arbitrary program code to be executed.
The DivX Player automatically loads subtitle files that have the same base name as the video file, such as
test.srt. Version 220.127.116.11 of the DivX Player included in the current DivX 6.8 is affected, as probably are previous versions. Until an updated DivX Player has been released, users of the software are advised to refrain from opening any subtitle files from untrusted sources.
- DIVX Player <= 6.7.0 Buffer Overflow PoC (.SRT), demonstration of the flaw at securfrog