[FFmpeg-soc] [soc]: r532 - matroska/matroskaenc.c

Michael Niedermayer michaelni at gmx.at
Sun Jul 29 02:43:50 CEST 2007


Hi

On Sun, Jul 29, 2007 at 02:07:46AM +0200, Luca Barbato wrote:
> Michael Niedermayer wrote:
> > most stupid idea of all
> > the struct contains pointers, so you now leak very usefull information for
> > an exploit
> 
> a _SUM_ of pointers isn't an useful information. 

your comments are not usefull ...

just try
main(){
    int i;
    for(i=0; i<10; i++){
        void *p= malloc(100*i*i+1);
        printf("%p\n", p);
    }
}

2 runs will give you the exact same list of pointers in a normal
gnu/ulrich drepper libc based system

if you now use exec shield or grsec or similar you should see the
VERY same pointers just with a constant added to them, that is the
same constant to all, the constant would just differ from process to
process
you can now combine these pointers in any way you want, you dont gain
anything by this the result still leaks the constant in a way which a
11 year old could recover


> more if it is used with
> the current time as a seed for a random numeber generator....

well an attacker trying to exploit ffmpeg running on a remote
server (maybe one of these "encode random video to flv" services)
knows the time when he does the attack so its addition has zero effect

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

When the tyrant has disposed of foreign enemies by conquest or treaty, and
there is nothing more to fear from them, then he is always stirring up
some war or other, in order that the people may require a leader. -- Plato
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.mplayerhq.hu/pipermail/ffmpeg-soc/attachments/20070729/4af39d90/attachment.pgp>


More information about the FFmpeg-soc mailing list