[FFmpeg-trac] #1201(FFplay:new): Write Access Violation

FFmpeg trac at avcodec.org
Sat Apr 14 02:10:24 CEST 2012

#1201: Write Access Violation
             Reporter:  daybreak  |                     Type:  defect
               Status:  new       |                 Priority:  critical
            Component:  FFplay    |                  Version:  unspecified
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
 This is a write access violation within FFPlay.exe.

 (cbac.2804): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 *** ERROR: Module load completed but symbols could not be loaded for
 0042b909 0f7f0e          movq    mmword ptr [esi],mm1
 0:000:x86> $<dbgcomm.txt
 0:000:x86> !load winext\msec.dll
 0:000:x86> !exploitable
 Exploitability Classification: EXPLOITABLE
 Recommended Bug Title: Exploitable - User Mode Write AV starting at
 image00000000_00400000+0x000000000002b909 (Hash=0x67613208.0x0729135c)

 User mode write access violations that are not near NULL are exploitable.
 0:000:x86> q

 mm1 is equal to "0080808000800080" at this point in execution.  The
 attacker has a fair amount of control over the value in esi and this
 appears to come from offset 0x17dbb8 in the mkv file.  This is a write
 "0080808000800080" anywhere in memory.  A clever attacker can use this to
 create another overflow to achieve code execution or can try to partially
 overwrite sensitive pointers and other values.

 Tested on the shared build from 2012-04-09 found at

 PoC file can be downloaded here:

 John Villamil

Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1201>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list