[FFmpeg-trac] #1206(undetermined:new): Controlled EDX in avformat
FFmpeg
trac at avcodec.org
Sat Apr 14 02:33:35 CEST 2012
#1206: Controlled EDX in avformat
-------------------------------------+-------------------------------------
Reporter: daybreak | Type: defect
Status: new | Priority: normal
Component: | Version:
undetermined | unspecified
Keywords: | Blocked By:
Blocking: | Reproduced by developer: 0
Analyzed by developer: 0 |
-------------------------------------+-------------------------------------
An attacker can control the value in EDX. Whether this issue is
exploitable is not clear. I did not take a close look at any of these
issues, but it looks pretty dangerous nonetheless.
(5d3c.3f14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Users\owner\Desktop\ffmpeg-git-
a4c22e3-win32-shared\bin\avformat-54.dll -
avformat_54!avio_rb16+0x15:
699183f5 0fb632 movzx esi,byte ptr [edx]
ds:002b:00000016=??
0:002:x86> $<dbgcomm.txt
0:002:x86> !load winext\msec.dll
0:002:x86> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch
Selection starting at avformat_54!avio_rb16+0x0000000000000015
(Hash=0x676f5b27.0x64114365)
The data from the faulting address is later used to determine whether or
not a branch is taken.
0:002:x86> q
quit:
Tested on the shared build from 2012-04-09 found at
http://ffmpeg.zeranoe.com/builds/
A PoC file:
http://w.rdtsc.net/ffmpegmkv/Unknown/WhatsUpWithEdx.zip
Thanks,
John Villamil
--
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1206>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker
More information about the FFmpeg-trac
mailing list