Heap-based buffer overflow in the VMnc media codec in vmnc.dll in VMware Movie Decoder before 6.5.3 build 185404, VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, and VMware ACE 2.5.x before 2.5.3 build 185404 on Windows might allow remote attackers to execute arbitrary code via a video file with crafted dimensions (aka framebuffer parameters).
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
| Link | Tags |
|---|---|
| http://lists.vmware.com/pipermail/security-announce/2009/000065.html | mailing list patch |
| http://www.securityfocus.com/bid/36290 | vdb entry |
| http://secunia.com/secunia_research/2009-25/ | vendor advisory |
| http://www.securityfocus.com/archive/1/506286/100/0/threaded | mailing list |
| http://www.vupen.com/english/advisories/2009/2553 | vdb entry patch vendor advisory |
| http://secunia.com/advisories/34938 | third party advisory vendor advisory |
| http://www.vmware.com/security/advisories/VMSA-2009-0012.html | patch vendor advisory |