[FFmpeg-trac] #1206(undetermined:new): Controlled EDX in avformat

FFmpeg trac at avcodec.org
Sat Apr 14 02:33:35 CEST 2012

#1206: Controlled EDX in avformat
             Reporter:  daybreak     |                     Type:  defect
               Status:  new          |                 Priority:  normal
            Component:               |                  Version:
  undetermined                       |  unspecified
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
 An attacker can control the value in EDX.  Whether this issue is
 exploitable is not clear.  I did not take a close look at any of these
 issues, but it looks pretty dangerous nonetheless.

 (5d3c.3f14): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols
 for C:\Users\owner\Desktop\ffmpeg-git-
 a4c22e3-win32-shared\bin\avformat-54.dll -
 699183f5 0fb632          movzx   esi,byte ptr [edx]
 0:002:x86> $<dbgcomm.txt
 0:002:x86> !load winext\msec.dll
 0:002:x86> !exploitable
 Exploitability Classification: UNKNOWN
 Recommended Bug Title: Data from Faulting Address controls Branch
 Selection starting at avformat_54!avio_rb16+0x0000000000000015

 The data from the faulting address is later used to determine whether or
 not a branch is taken.
 0:002:x86> q

 Tested on the shared build from 2012-04-09 found at

 A PoC file:

 John Villamil

Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1206>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list