This document describes the security content of QuickTime 7.0.3, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How To Use The Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
QuickTime
CVE-ID: CVE-2005-2753
Available for: Mac OS X v10.3.9 or later, Microsoft Windows XP, Microsoft Windows 2000
Impact: An integer overflow may be exploitable via remotely originated content
Description: A sign extension of an embedded "Pascal" style string could result in a very large memory copy. The update treats the string as having unsigned length. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue.
QuickTime
CVE-ID: CVE-2005-2755
Available for: Mac OS X v10.3.9 or later, Microsoft Windows XP, Microsoft Windows 2000
Impact: A denial of service against any application loading remotely-originated content
Description: A missing movie attribute is interpreted as an extension, but the absence of the extension is not flagged as an error, resulting in a de-reference of a NULL pointer. The update requires either the movie attribute or the extension to be present for a well-formed movie. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue.
QuickTime
CVE-ID: CVE-2005-2754
Available for: Mac OS X v10.3.9 or later, Microsoft Windows XP, Microsoft Windows 2000
Impact: An integer overflow may be exploitable via remotely originated content
Description: Improper movie attributes could result in a very large memory copy. The update checks for a valid non-zero size before copying. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue.
QuickTime
CVE-ID: CVE-2005-2756
Available for: Mac OS X v10.3.9 or later, Microsoft Windows XP, Microsoft Windows 2000
Impact: Compressed PICT data may overwrite application memory from remotely originated content
Description: Expansion of compressed PICT data could exceed the size of the destination buffer. The update prevents decompressed data from exceeding the destination buffer size. Credit to Piotr Bania (bania.piotr@gmail.com) for reporting this issue.