CVE-2005-2753
Description
Integer overflow in Apple QuickTime before 7.0.3 allows user-assisted attackers to execute arbitrary code via a crafted MOV file that causes a sign extension of the length element in a Pascal style string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.2:*:*:*:*:*+ 7 more
- cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.2:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:6.5.2:*:mac_os_x_10.3:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:mac_os_x_10.3:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:mac_os_x_10.4:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0.1:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:7.0:*:windows:*:*:*:*:*
- cpe:2.3:a:apple:quicktime:*:*:windows:*:*:*:*:*range: <=7.0.2
- (no CPE)range: <7.0.3
Patches
Vulnerability mechanics
Root cause
"Integer overflow caused by sign extension of the length element in a Pascal-style string when parsing a crafted MOV file."
Attack vector
An attacker crafts a malicious MOV file containing a Pascal-style string whose length element triggers an integer overflow via sign extension. The user must open the file with QuickTime (user-assisted attack). The overflow corrupts memory in a way that can lead to arbitrary code execution under the privileges of the current user [ref_id=1].
Affected code
The advisory does not specify exact file or function names. The vulnerability resides in Apple QuickTime versions before 7.0.3 when parsing a crafted MOV file, specifically in the handling of a Pascal-style string length element that is subject to a sign extension flaw [ref_id=1].
What the fix does
Apple addressed the issue in QuickTime 7.0.3. The advisory does not include a patch diff, but the fix corrects the sign extension of the length element in Pascal-style strings so that the integer overflow no longer occurs [ref_id=1]. Users should update to QuickTime 7.0.3 or later.
Preconditions
- inputUser must open a crafted MOV file with Apple QuickTime
- configQuickTime version must be earlier than 7.0.3
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- securitytracker.com/idnvdPatchVendor Advisory
- www.osvdb.org/20475nvdPatch
- pb.specialised.info/all/adv/quicktime-mov-io1-adv.txtnvdVendor Advisory
- secunia.com/advisories/17428nvdVendor Advisory
- www.vupen.com/english/advisories/2005/2293nvdVendor Advisory
- docs.info.apple.com/article.htmlnvd
- www.securityfocus.com/archive/1/415712/30/0/threadednvd
- www.securityfocus.com/bid/15306nvd
News mentions
0No linked articles in our index yet.