https://www.exploit-db.com/exploits/23896
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200405-036

MPlayer是一款基于Linux的电影播放程序。MPlayer由于不正确处理部分HTTP头字段数据，远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以进程权限在系统上执行任意指令。当从web服务器请求一文件，MPlayer会分配一缓冲区存储URL转换的字符串数据，由于没有进行充分边界检查，可导致缓冲区溢出，问题代码如下：libmpdemux/http.c:http_build_request(line178):if(http_hdr->uri==NULL)http_set_uri(http_hdr，”/”);else{uri=(char*)malloc(strlen(http_hdr->uri)*2);[1]if(uri==NULL){mp_msg(MSGT_NETWORK，MSGL_ERR，”Memoryallocationfailedn”);returnNULL;}url_escape_string(uri，http_hdr->uri);[2]URL转义字符串会使一个字符转换为3个，如空格由%22代替，因此[1]中的空间分配不够充分，导致[2]中发生溢出。

source: http://www.securityfocus.com/bid/10008/info

It has been reported that MPlayer is prone to a remote HTTP header buffer overflow vulnerability. This issue is due to a failure of the application to properly verify buffer bounds on the 'Location' HTTP header during parsing.

Successful exploitation would immediately produce a denial of service condition in the affected process. This issue may also be leveraged to execute code on the affected system within the security context of the user running the vulnerable process. 

Issuing the following command will cause the affected process to crash:
$ mplayer http://`perl -e 'print """x1024;'`

来源:US-CERTVulnerabilityNote:VU#723910
名称:VU#723910
链接:http://www.kb.cert.org/vuls/id/723910
来源:XF
名称:mplayer-header-bo(15675)
链接:http://xforce.iss.net/xforce/xfdb/15675
来源:BID
名称:10008
链接:http://www.securityfocus.com/bid/10008
来源:BUGTRAQ
名称:20040330HeapoverflowinMPlayer
链接:http://www.securityfocus.com/archive/1/359025
来源:GENTOO
名称:GLSA-200403-13
链接:http://security.gentoo.org/glsa/glsa-200403-13.xml
来源:SECUNIA
名称:11259
链接:http://secunia.com/advisories/11259
来源:BUGTRAQ
名称:20040330MPlayerSecurityAdvisory#002-HTTPparsingvulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108067020624076&w;=2
来源:www.mplayerhq.hu
链接:http://www.mplayerhq.hu/homepage/design6/news.html
来源:MANDRAKE
名称:MDKSA-2004:026
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2004:026