Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

Subtitle files can hack your computer

Name: Anonymous 2017-05-24 10:23

http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
Was this brought on us by using media players made in C?

Name: Cudder !cXCudderUE 2017-05-24 10:55

Blame the programmers, not the tools.

Name: Anonymous 2017-05-24 11:38

This is why you should always watch anime in Japanese.

Name: Anonymous 2017-05-24 13:24

Thankfully i only watch animu through youtube and video sites like vimeo. This also save me gigabytes of harddrive space.

Name: Anonymous 2017-05-24 13:34

>>4
Or you can download then delete?
This reasoning is quite faulty

Name: Anonymous 2017-05-24 19:03

>>5
Why i need to download something i will watch once?

Name: Anonymous 2017-05-24 19:29

>>2
Blame the programmers for using the wrong tools.

Name: Anonymous 2017-05-24 19:30

>>7
I agree.
They should have used LISP and Ruby to make media players instead.

Name: Anonymous 2017-05-24 19:53

>>8
LISP and Ruby
You're right. C is the only compiled language in existence. Everything else is dynamically typed and interpreted.

Name: Anonymous 2017-05-24 20:04

>>9
What others are there?

Name: Anonymous 2017-05-24 20:10

There is a lisp video decoder but it's pretty bad https://github.com/varjagg/cl-video

Name: Anonymous 2017-05-24 23:22

>>6
Better quality and you're not bound by internet connection

Name: Anonymous 2017-05-25 12:57

>>12
>Quality
Anime is limited color pallette, low-contrast content. There isn't much detail there in the first place.
>not bound by
I don't have a quota like in some third world country and can download anything 24/7

Name: Anonymous 2017-05-25 13:11

>>13
It may be colored line art, but it's still line art and that isn't low contrast.

Name: Anonymous 2017-05-25 13:13

>>13
What is the > supposed to mean?

Name: Anonymous 2017-05-25 13:49

>>14
>line art
This isn't art or some exotic style. Anime is mass produced, factory stamped low-culture media, designed to be easy to draw en masse. You're probably thinking of manga sources, which could be considered line art.

>>15
>supposed
https://en.wikipedia.org/wiki/Usenet_quoting

Name: Anonymous 2017-05-25 14:36

>>16
This is incorrect quoting, it would need to have a space afterwards.

Name: Anonymous 2017-05-25 14:55

>>16
Doesn't look the same

Name: Anonymous 2017-05-25 16:40

>>16
I'm talking about contrast ratios in regard to how it compresses. It has nothing to do with stylistic issues.

Name: Anonymous 2017-05-25 23:47

Lucky Star is the pinnacle of modern art.

Name: Anonymous 2017-05-26 15:47

I can't find the vulnerability this attack uses. All that page says is "Beware! text files with subtitles can hack your computer" and links you to some sponsors media players and a video of someone capturing a screen two times.

All the other websites I found just copy the text and link to that page.

You can see OP in the comments there talking shit about C and promoting those badly written programs.

What a fucking low energy beta media player faggot cuck.

Name: Anonymous 2017-05-26 16:22

>>13
I don't have a quota like in some third world country and can download anything 24/7
Then wouldn't that be more of a reason to download it?
Downloading it means a bigger file size and better quality.

Name: Anonymous 2017-05-26 16:31

>>21
The code for it is not disclosed, but the vulnerability details are available.
Search for CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313.

CVE-2017-8310
Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN VLC 2.2.x due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process (causing a denial of service) via a crafted subtitles file.
http://git.videolan.org/?p=vlc/vlc-2.2.git;a=blobdiff;f=modules/codec/subsdec.c;h=addd8c71f30d53558fffd19059b374be45cf0f8e;hp=1b4276e299a2a6668047231d29ac705ae93076ba;hb=7cac839692ab79dbfe5e4ebd4c4e37d9a8b1b328;hpb=3477dba3d506de8d95bccef2c6b67861188f6c29

CVE-2017-8311
Potential heap based buffer overflow in ParseJSS in VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input string allows attackers to execute arbitrary code via a crafted subtitles file.
http://git.videolan.org/?p=vlc.git;a=commitdiff;h=775de716add17322f24b476439f903a829446eb6

CVE-2017-8312
Heap out-of-bound read in ParseJSS in VideoLAN VLC due to missing check of string length allows attackers to read heap uninitialized data via a crafted subtitles file.
http://git.videolan.org/?p=vlc.git;a=blobdiff;f=modules/demux/subtitle.c;h=5e4fcdb7f25b2819f5441156c7c0ea2a7d112ca3;hp=2a75fbfb7c3f56b24b2e4498bbb8fe0aa2575974;hb=611398fc8d32f3fe4331f60b220c52ba3557beaa;hpb=075bc7169b05b004fa0250e4a4ce5516b05487a9

CVE-2017-8313
Heap out-of-bound read in ParseJSS in VideoLAN VLC before 2.2.5 due to missing check of string termination allows attackers to read data beyond allocated memory and potentially crash the process via a crafted subtitles file.
http://git.videolan.org/?p=vlc/vlc-2.2.git;a=commitdiff;h=05b653355ce303ada3b5e0e645ae717fea39186c

Name: Anonymous 2017-05-26 17:36

>>23
NO MOM YOU DON'T UNDERSTAND, NULL-TERMINATED STRINGS ARE OMG OPTIMIZED AND EVERYTHING ELSE IS SLOW AS FUCK

Name: Anonymous 2017-05-26 17:38

>>23
CreateHtmlSubtitle
ParseJSS
Enterprise Quality.

Name: Anonymous 2017-05-26 17:47

>>24
You can't program in C, we got it. You can stop shitposting now.

Name: Anonymous 2017-05-26 19:57

>>26
If anyone can't program in C, it's the VLC developers, obviously.

Name: Anonymous 2017-05-26 21:16

>>25
That's an inconsistent naming convention, by the way. It's PascalCase, but the second capitalizes acronyms while the first does not.

Name: Anonymous 2017-05-26 21:29

>>24
What if a subtitle is more than 4 GB long? Your length-prefixed strings won't work. You wasted those 3 extra bytes for nothing.

Name: Anonymous 2017-05-26 22:34

>>29
Ain't nobody readin no damn 4GB of subtitles.

Name: Anonymous 2017-05-26 22:41

>>27
But if you read the article, it said VLC isn't the only media player affected by it.

Name: Anonymous 2017-05-26 23:57

>>31
Different bugs.

Name: Anonymous 2017-05-27 0:23

>>32
Different bugs, different media players, but they all involve subtitles and remote code execution.

Name: Cudder !cXCudderUE 2017-05-27 3:07

>>25,28
Acronyms should always be capitalised. Seeing "Html" and "Xml" and the like makes me physically cringe.

That said, PascalCase-only looks retarded anyway.

Name: Anonymous 2017-05-27 4:49

>>34
What's your preferred naming style then?

Name: Anonymous 2017-05-27 9:04

With C/C++ any input data can contain an exploit. It is always some memory corruption nonsense only possible with C/C++.

Name: Anonymous 2017-05-27 16:58

>>34
Seeing "Html" and "Xml" and the like makes me physically cringe.
You let stupid people on the Internet make you ``physically cringe''? You must be one hell of a rational person.

Name: Anonymous 2017-05-28 1:43

>>36
Give me an example of input that would cause memory corruption in this C program:

#include <stdio.h>

int main(void)
{
char buf[32];
fread(buf, 1, 31, stdin);
printf("You said %s!\n", buf);
return(0);
}

Name: Anonymous 2017-05-28 7:23

>>38
buf is not nul-terminated

Name: Anonymous 2017-05-28 8:31

>>38
You fail to validate the input to be proper characters. Now anyone can garble your terminal output with by setting termcap or even execute some OS command:
https://en.wikipedia.org/wiki/ANSI_escape_code#Non-CSI_codes
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode + RSS -