Multiple integer overflows in xine-lib 1.1.12, and other 1.1.15 and earlier versions, allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via (1) crafted width and height values that are not validated by the mymng_process_header function in demux_mng.c before use in an allocation calculation or (2) crafted current_atom_size and string_size values processed by the parse_reference_atom function in demux_qt.c for an RDRF_ATOM string.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Xine | Xine | * | 1.1.5 (including) |
| Xine | Xine | 0.9.13 (including) | 0.9.13 (including) |
| Xine | Xine | 1-beta1 (including) | 1-beta1 (including) |
| Xine | Xine | 1-beta10 (including) | 1-beta10 (including) |
| Xine | Xine | 1-beta11 (including) | 1-beta11 (including) |
| Xine | Xine | 1-beta12 (including) | 1-beta12 (including) |
| Xine | Xine | 1-beta2 (including) | 1-beta2 (including) |
| Xine | Xine | 1-beta3 (including) | 1-beta3 (including) |
| Xine | Xine | 1-beta4 (including) | 1-beta4 (including) |
| Xine | Xine | 1-beta5 (including) | 1-beta5 (including) |
| Xine | Xine | 1-beta6 (including) | 1-beta6 (including) |
| Xine | Xine | 1-beta7 (including) | 1-beta7 (including) |
| Xine | Xine | 1-beta8 (including) | 1-beta8 (including) |
| Xine | Xine | 1-beta9 (including) | 1-beta9 (including) |
| Xine | Xine | 1-rc0a (including) | 1-rc0a (including) |
| Xine | Xine | 1-rc1 (including) | 1-rc1 (including) |
| Xine | Xine | 1-rc2 (including) | 1-rc2 (including) |
| Xine | Xine | 1-rc3 (including) | 1-rc3 (including) |
| Xine | Xine | 1-rc3a (including) | 1-rc3a (including) |
| Xine | Xine | 1-rc3b (including) | 1-rc3b (including) |
| Xine | Xine | 1-rc3c (including) | 1-rc3c (including) |
| Xine | Xine | 1-rc4 (including) | 1-rc4 (including) |
| Xine | Xine | 1-rc4a (including) | 1-rc4a (including) |
| Xine | Xine | 1-rc5 (including) | 1-rc5 (including) |
| Xine | Xine | 1-rc6a (including) | 1-rc6a (including) |
| Xine | Xine | 1-rc7 (including) | 1-rc7 (including) |
| Xine | Xine | 1-rc8 (including) | 1-rc8 (including) |
| Xine | Xine | 1.0 (including) | 1.0 (including) |
| Xine | Xine | 1.0.1 (including) | 1.0.1 (including) |
| Xine | Xine | 1.0.2 (including) | 1.0.2 (including) |
| Xine | Xine | 1.0.3a (including) | 1.0.3a (including) |
| Xine | Xine | 1.1.0 (including) | 1.1.0 (including) |
| Xine | Xine | 1.1.1 (including) | 1.1.1 (including) |
| Xine | Xine | 1.1.2 (including) | 1.1.2 (including) |
| Xine | Xine | 1.1.3 (including) | 1.1.3 (including) |
| Xine | Xine | 1.1.4 (including) | 1.1.4 (including) |
| Xine | Xine | 1.1.10.1 (including) | 1.1.10.1 (including) |
| Xine | Xine | 1.1.11 (including) | 1.1.11 (including) |
| Xine | Xine | 1.1.11.1 (including) | 1.1.11.1 (including) |