In an old post I talked about a bug able to crash QuickTime on startup, here’s a QuickTime crash that occours when you close the application. The bugged code is something like:
movzx edx, ax push edx ; lpData push 1 ; dwType push 0 ; Reserved push eax ; lpValueName push ebp ; hKey call ds:RegSetValueExW
Do you see anything strange? Have a look at RegSetValueEx parameters, the last one is defined as:
__in_opt const BYTE *lpData
It’s a pointer to string. Pay attention to the previous instruction, movzx. The content of edx is limited to 16bits and it can cause stack buffer overflow. I don’t know anything about the value stored inside ax, but I’m not interesting in it.
The crash occours under particular conditions. Again, you have to change something inside QTPlayerSession xml file (located inside “Application Data/Apple Computer/QuickTime”). Here’s an example of a possible list stored inside the xml file:
QuickTime parses the file and create the entries inside the right registry key. The snippet I posted above will not be executed in normal condition, but it’s possible to run it cheating a little. Try modifying the file creating two equal entries:
Run QuickTime, close it and the program will crash due to a stack buffer overflow.
(Un)fortunately it’s not possible to exploit the bug, and due to the nature of the bug I don’t think it will cause problems to the users, it’s only an annoying box to close. If you have a crash like that you can try looking at the xml file…