[FFmpeg-trac] #1203(avcodec:new): Illegal Data Usage in Avcodec

FFmpeg trac at avcodec.org
Sat Apr 14 02:22:00 CEST 2012 

#1203: Illegal Data Usage in Avcodec
----------------------------------+---------------------------------------
             Reporter:  daybreak  |                     Type:  defect
               Status:  new       |                 Priority:  critical
            Component:  avcodec   |                  Version:  unspecified
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+---------------------------------------
 An attacker may be able to create a file that reads data from an
 unintended location in memory.  This data is trusted and used by the
 application in a way which may enable code execution.

 (21268.22868): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 avcodec_54!ff_dct32_float_sse2+0x12ae7:
 6a5999f7 0f280c11        movaps  xmm1,xmmword ptr [ecx+edx]
 ds:002b:00000070=????????????????????????????????
 0:009:x86> $<dbgcomm.txt
 0:009:x86> r
 eax=ffffffc0 ebx=02f62d80 ecx=00000040 edx=00000030 esi=02f62d80
 edi=02f62d80
 eip=6a5999f7 esp=048dfc10 ebp=02f62d80 iopl=0         nv up ei pl nz na po
 nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010202
 avcodec_54!ff_dct32_float_sse2+0x12ae7:
 6a5999f7 0f280c11        movaps  xmm1,xmmword ptr [ecx+edx]
 ds:002b:00000070=????????????????????????????????
 0:009:x86> !load winext\msec.dll
 0:009:x86> !exploitable
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols
 for ntdll32.dll -
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols
 for C:\windows\syswow64\KERNELBASE.dll -
 Exploitability Classification: PROBABLY_EXPLOITABLE
 Recommended Bug Title: Probably Exploitable - Data from Faulting Address
 controls subsequent Write Address starting at
 avcodec_54!ff_dct32_float_sse2+0x0000000000012ae7
 (Hash=0x6a521235.0x0b720433)

 The data from the faulting address is later used as the target for a later
 write.
 0:009:x86> q
 quit:

 0:009> kn
  # ChildEBP RetAddr
 WARNING: Stack unwind information not available. Following frames may be
 wrong.
 00 0471fba8 6a585144 avcodec_54!ff_dct32_float_sse2+0x12ae7
 01 0471fc68 6a1216b2 avcodec_54!avpriv_vorbis_parse_reset+0x46764
 02 0471fca8 6a583045 avcodec_54!avpriv_copy_bits+0x222
 03 0471fce8 6a586319 avcodec_54!avpriv_vorbis_parse_reset+0x44665
 04 0471fd38 6a50549a avcodec_54!avpriv_vorbis_parse_reset+0x47939
 *** ERROR: Module load completed but symbols could not be loaded for
 image00400000
 05 0471fdc8 00405109 avcodec_54!avcodec_decode_audio4+0x9a
 06 0471fe38 75750ac4 image00400000+0x5109
 07 0471fed8 0040e37f KERNELBASE!WaitForSingleObjectEx+0xcb
 08 0471ff18 004161b8 image00400000+0xe37f
 09 0471ff38 0041620e image00400000+0x161b8
 0a 0471ff48 763f1287 image00400000+0x1620e
 0b 0471ff80 763f1328 msvcrt!_endthreadex+0x44
 0c 0471ff88 7526339a msvcrt!_endthreadex+0xce
 0d 0471ff94 77129ef2 kernel32!BaseThreadInitThunk+0xe
 0e 0471ffd4 77129ec5 ntdll!__RtlUserThreadStart+0x70
 0f 0471ffec 00000000 ntdll!_RtlUserThreadStart+0x1b

 This was tested on the shared build from 2012-04-09 found at
 http://ffmpeg.zeranoe.com/builds/

 A PoC file is at:
 http://w.rdtsc.net/ffmpegmkv/ProbablyExploitable/ReadandWrite.zip

 Thanks,
 John Villamil

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1203>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list