The pnm_get_chunk function in xine 0.99.2 and earlier, and other packages such as MPlayer that use the same code, does not properly verify that the chunk size is less than the PREAMBLE_SIZE, which causes a read operation with a negative length that leads to a buffer overflow via (1) RMF_TAG, (2) DATA_TAG, (3) PROP_TAG, (4) MDPR_TAG, and (5) CONT_TAG values, a different vulnerability than CVE-2004-1187.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mplayer | Mplayer | 0.90 (including) | 0.90 (including) |
| Mplayer | Mplayer | 0.90_pre (including) | 0.90_pre (including) |
| Mplayer | Mplayer | 0.90_rc (including) | 0.90_rc (including) |
| Mplayer | Mplayer | 0.90_rc4 (including) | 0.90_rc4 (including) |
| Mplayer | Mplayer | 0.91 (including) | 0.91 (including) |
| Mplayer | Mplayer | 0.92 (including) | 0.92 (including) |
| Mplayer | Mplayer | 0.92.1 (including) | 0.92.1 (including) |
| Mplayer | Mplayer | 0.92_cvs (including) | 0.92_cvs (including) |
| Mplayer | Mplayer | 1.0_pre1 (including) | 1.0_pre1 (including) |
| Mplayer | Mplayer | 1.0_pre2 (including) | 1.0_pre2 (including) |
| Mplayer | Mplayer | 1.0_pre3 (including) | 1.0_pre3 (including) |
| Mplayer | Mplayer | 1.0_pre3try2 (including) | 1.0_pre3try2 (including) |
| Mplayer | Mplayer | 1.0_pre4 (including) | 1.0_pre4 (including) |
| Mplayer | Mplayer | 1.0_pre5 (including) | 1.0_pre5 (including) |
| Mplayer | Mplayer | 1.0_pre5try1 (including) | 1.0_pre5try1 (including) |
| Mplayer | Mplayer | 1.0_pre5try2 (including) | 1.0_pre5try2 (including) |
| Mplayer | Mplayer | head_cvs (including) | head_cvs (including) |
| Xine | Xine | 0.9.8 (including) | 0.9.8 (including) |
| Xine | Xine | 0.9.13 (including) | 0.9.13 (including) |
| Xine | Xine | 0.9.18 (including) | 0.9.18 (including) |
| Xine | Xine | 1_alpha (including) | 1_alpha (including) |
| Xine | Xine | 1_beta1 (including) | 1_beta1 (including) |
| Xine | Xine | 1_beta2 (including) | 1_beta2 (including) |
| Xine | Xine | 1_beta3 (including) | 1_beta3 (including) |
| Xine | Xine | 1_beta4 (including) | 1_beta4 (including) |
| Xine | Xine | 1_beta5 (including) | 1_beta5 (including) |
| Xine | Xine | 1_beta6 (including) | 1_beta6 (including) |
| Xine | Xine | 1_beta7 (including) | 1_beta7 (including) |
| Xine | Xine | 1_beta8 (including) | 1_beta8 (including) |
| Xine | Xine | 1_beta9 (including) | 1_beta9 (including) |
| Xine | Xine | 1_beta10 (including) | 1_beta10 (including) |
| Xine | Xine | 1_beta11 (including) | 1_beta11 (including) |
| Xine | Xine | 1_beta12 (including) | 1_beta12 (including) |
| Xine | Xine | 1_rc0 (including) | 1_rc0 (including) |
| Xine | Xine | 1_rc0a (including) | 1_rc0a (including) |
| Xine | Xine | 1_rc1 (including) | 1_rc1 (including) |
| Xine | Xine | 1_rc2 (including) | 1_rc2 (including) |
| Xine | Xine | 1_rc3 (including) | 1_rc3 (including) |
| Xine | Xine | 1_rc3a (including) | 1_rc3a (including) |
| Xine | Xine | 1_rc3b (including) | 1_rc3b (including) |
| Xine | Xine | 1_rc4 (including) | 1_rc4 (including) |
| Xine | Xine | 1_rc5 (including) | 1_rc5 (including) |
| Xine | Xine | 1_rc6 (including) | 1_rc6 (including) |
| Xine | Xine | 1_rc6a (including) | 1_rc6a (including) |
| Xine | Xine | 1_rc7 (including) | 1_rc7 (including) |
| Xine | Xine | 1_rc8 (including) | 1_rc8 (including) |
| Xine-lib | Xine | 0.9.8 (including) | 0.9.8 (including) |
| Xine-lib | Xine | 0.9.13 (including) | 0.9.13 (including) |
| Xine-lib | Xine | 0.99 (including) | 0.99 (including) |
| Xine-lib | Xine | 1_alpha (including) | 1_alpha (including) |
| Xine-lib | Xine | 1_beta1 (including) | 1_beta1 (including) |
| Xine-lib | Xine | 1_beta2 (including) | 1_beta2 (including) |
| Xine-lib | Xine | 1_beta3 (including) | 1_beta3 (including) |
| Xine-lib | Xine | 1_beta4 (including) | 1_beta4 (including) |
| Xine-lib | Xine | 1_beta5 (including) | 1_beta5 (including) |
| Xine-lib | Xine | 1_beta6 (including) | 1_beta6 (including) |
| Xine-lib | Xine | 1_beta7 (including) | 1_beta7 (including) |
| Xine-lib | Xine | 1_beta8 (including) | 1_beta8 (including) |
| Xine-lib | Xine | 1_beta9 (including) | 1_beta9 (including) |
| Xine-lib | Xine | 1_beta10 (including) | 1_beta10 (including) |
| Xine-lib | Xine | 1_beta11 (including) | 1_beta11 (including) |
| Xine-lib | Xine | 1_beta12 (including) | 1_beta12 (including) |
| Xine-lib | Xine | 1_rc0 (including) | 1_rc0 (including) |
| Xine-lib | Xine | 1_rc1 (including) | 1_rc1 (including) |
| Xine-lib | Xine | 1_rc2 (including) | 1_rc2 (including) |
| Xine-lib | Xine | 1_rc3 (including) | 1_rc3 (including) |
| Xine-lib | Xine | 1_rc3a (including) | 1_rc3a (including) |
| Xine-lib | Xine | 1_rc3b (including) | 1_rc3b (including) |
| Xine-lib | Xine | 1_rc3c (including) | 1_rc3c (including) |
| Xine-lib | Xine | 1_rc4 (including) | 1_rc4 (including) |
| Xine-lib | Xine | 1_rc5 (including) | 1_rc5 (including) |
| Xine-lib | Xine | 1_rc6 (including) | 1_rc6 (including) |
| Xine-lib | Xine | 1_rc6a (including) | 1_rc6a (including) |
| Xine-lib | Xine | 1_rc7 (including) | 1_rc7 (including) |