[FFmpeg-trac] #1201(FFplay:new): Write Access Violation
FFmpeg
trac at avcodec.org
Sat Apr 14 02:10:24 CEST 2012
#1201: Write Access Violation
----------------------------------+---------------------------------------
Reporter: daybreak | Type: defect
Status: new | Priority: critical
Component: FFplay | Version: unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
----------------------------------+---------------------------------------
This is a write access violation within FFPlay.exe.
(cbac.2804): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for
image00000000`00400000
image00000000_00400000+0x2b909:
0042b909 0f7f0e movq mmword ptr [esi],mm1
ds:002b:02203000=????????????????
0:000:x86> $<dbgcomm.txt
0:000:x86> !load winext\msec.dll
0:000:x86> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
image00000000_00400000+0x000000000002b909 (Hash=0x67613208.0x0729135c)
User mode write access violations that are not near NULL are exploitable.
0:000:x86> q
quit:
mm1 is equal to "0080808000800080" at this point in execution. The
attacker has a fair amount of control over the value in esi and this
appears to come from offset 0x17dbb8 in the mkv file. This is a write
"0080808000800080" anywhere in memory. A clever attacker can use this to
create another overflow to achieve code execution or can try to partially
overwrite sensitive pointers and other values.
Tested on the shared build from 2012-04-09 found at
http://ffmpeg.zeranoe.com/builds/
PoC file can be downloaded here:
http://w.rdtsc.net/ffmpegmkv/Exploitable/writeAV.zip
Thanks,
John Villamil
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1201>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list