[FFmpeg-trac] #1207(avcodec:new): Possible Heap Corruption in avcodec
FFmpeg
trac at avcodec.org
Sat Apr 14 02:41:17 CEST 2012
#1207: Possible Heap Corruption in avcodec
----------------------------------+---------------------------------------
Reporter: daybreak | Type: defect
Status: new | Priority: critical
Component: avcodec | Version: unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
----------------------------------+---------------------------------------
(17f84.181d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Users\owner\Desktop\ffmpeg-git-
a4c22e3-win32-shared\bin\avcodec-54.dll -
avcodec_54!avpriv_dv_codec_profile+0x1657d:
6a2131cd 0fb63c18 movzx edi,byte ptr [eax+ebx]
ds:002b:07c80120=??
0:014:x86> $<dbgcomm.txt
0:014:x86> r
eax=07c7e320 ebx=00001e00 ecx=00000008 edx=00000000 esi=00000280
edi=00001dc2
eip=6a2131cd esp=0512fcd0 ebp=00001ec0 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010206
avcodec_54!avpriv_dv_codec_profile+0x1657d:
6a2131cd 0fb63c18 movzx edi,byte ptr [eax+ebx]
ds:002b:07c80120=??
0:014:x86> !load winext\msec.dll
0:014:x86> !exploitable
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\windows\syswow64\msvcrt.dll -
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at
avcodec_54!avpriv_dv_codec_profile+0x000000000001657d
(Hash=0x591e064e.0x597e0609)
0:014:x86> q
quit:
0:011> !heap
**************************************************************
* *
* HEAP ERROR DETECTED *
* *
**************************************************************
Details:
Error address: 078a2db8
Heap handle: 00700000
Error type heap_failure_entry_corruption (3)
Stack trace:
771bf912: ntdll!RtlpAnalyzeHeapFailure+0x0000025b
7717aba7: ntdll!RtlpFreeHeap+0x000000c6
77123492: ntdll!RtlFreeHeap+0x00000142
763e98cd: msvcrt!free+0x000000cd
STACK_TEXT:
04dffb64 771235a7 00700000 078a2db8 04dffc2c
ntdll!RtlpCoalesceFreeBlocks+0x268
04dffc5c 77123492 078a2db8 078a2dc0 078a2dc0 ntdll!RtlpFreeHeap+0x1f4
04dffc7c 763e98cd 00700000 00000000 078a2dc0 ntdll!RtlFreeHeap+0x142
04dffcc8 6a218276 078a2dc0 00000020 6ab201bc msvcrt!free+0xcd
WARNING: Stack unwind information not available. Following frames may be
wrong.
04dffce8 6aa407af 07806d10 00000000 000002e4
avcodec_54!avpriv_dv_codec_profile+0x18c06
04dffcf8 6aa3f662 000002e4 ffffffff 00000001
avcodec_54!aver_isf_history+0x6d0df
04dffcfc 00000000 ffffffff 00000001 0000005a
avcodec_54!aver_isf_history+0x6bf92
When run under Application Verifier the following error is caught:
eax=000000d0 ebx=0afbaffd ecx=00000003 edx=6aaf3f29 esi=0afbb000
edi=6aaf41ab
eip=763fd0c6 esp=0e6afc8c ebp=0e6afcb0 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010206
msvcrt!strcspn+0x2f:
763fd0c6 8a06 mov al,byte ptr [esi]
ds:002b:0afbb000=??
00 0e6afcb0 6a10ef31 msvcrt!strcspn+0x2f
WARNING: Stack unwind information not available. Following frames may be
wrong.
01 0e6afcc4 75750ac4 avcodec_54!avcodec_register_all+0x10581
Heap corruption can be exploitable to achieve remote code execution. It
depends on several factors ranging from how much control the attacker has
over the written data to how deterministic the heap is from the input
within the crash file.
Tested on the shared build from 2012-04-09 found at
http://ffmpeg.zeranoe.com/builds/
A PoC file:
http://w.rdtsc.net/ffmpegmkv/Unknown/BadHeap.zip
Thanks,
John Villamil
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1207>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list