The CallComponentFunctionWithStorage function in Apple QuickTime before 7.5.5 does not properly handle a large entry in the sample_size_table in STSZ atoms, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file.
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/31086 | vdb entry patch |
| http://www.vupen.com/english/advisories/2008/2527 | vdb entry |
| http://lists.apple.com/archives/security-announce/2008/Oct/msg00000.html | vendor advisory |
| http://www.securityfocus.com/bid/31546 | vdb entry |
| http://lists.apple.com/archives/security-announce//2008/Sep/msg00000.html | vendor advisory |
| http://www.vupen.com/english/advisories/2008/2735 | vdb entry |
| http://securitytracker.com/id?1020841 | vdb entry patch |
| http://support.apple.com/kb/HT3189 | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16152 | vdb entry signature |
| http://secunia.com/advisories/32121 | third party advisory |
| http://marc.info/?l=bugtraq&m=122099929821288&w=2 | mailing list |
| http://support.apple.com/kb/HT3027 | patch |
| http://www.zerodayinitiative.com/advisories/ZDI-08-059/ | patch |
| http://secunia.com/advisories/31821 | third party advisory |