CVE-2008-5240

Name of the Vulnerable Software and Affected Versions xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier

Description The issue relies on an untrusted input value to determine memory allocation without checking the result. This affects the processing of certain elements and chunks, including the MATROSKA ID TR CODECPRIVATE track entry element in demux matroska.c, and PROP TAG, MDPR TAG, and CONT TAG chunks in the real parse headers function in demux real.c. This can allow remote attackers to cause a denial of service, such as a NULL pointer dereference and crash, or possibly execute arbitrary code via a crafted value.

Recommendations For xine-lib versions 1.1.12 and earlier, including 1.1.15 and earlier, consider updating to a version that does not rely on untrusted input for memory allocation or implement input validation to prevent crafted values from causing a denial of service or code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.