CVE-2007-4938

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Heap-based buffer overflow in libmpdemux/aviheader.c in MPlayer 1.0rc1 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a .avi file with certain large "indx truck size" and nEntriesInuse values, and a certain wLongsPerEntry value.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-30578 dos linux verified text · 1 KB

Code Audit Labs · 2007-09-12

MPlayer 1.0 - AVIHeader.C Heap Buffer Overflow

text exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/25648/info

MPlayer is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input data.

Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed attacks will result in denial-of-service conditions.

MPlayer 1.0rc1 is vulnerable; other versions may also be affected.

NOTE: The vendor states that this issue is present only on operating systems with a 'calloc' implementation that is prone to an integer-overflow issue. 

The following proof-of-concept AVI header data is available:
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10

indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.0~rc1-16.1`
sid	Fixed	`1.0~rc1-16.1`
forky	Fixed	`1.0~rc1-16.1`
bullseye	Fixed	`1.0~rc1-16.1`
bookworm	Fixed	`1.0~rc1-16.1`

References

https://security-tracker.debian.org/tracker/CVE-2007-4938

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.