Ticket #1201 (closed defect: worksforme)
Write Access Violation
|Reported by:||daybreak||Owned by:|
|Blocking:||Reproduced by developer:||no|
|Analyzed by developer:||no|
This is a write access violation within FFPlay.exe.
(cbac.2804): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
* ERROR: Module load completed but symbols could not be loaded for image00000000`00400000
0042b909 0f7f0e movq mmword ptr [esi],mm1 ds:002b:02203000=????????????????
0:000:x86> !load winext\msec.dll
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00000000_00400000+0x000000000002b909 (Hash=0x67613208.0x0729135c)
User mode write access violations that are not near NULL are exploitable.
mm1 is equal to "0080808000800080" at this point in execution. The attacker has a fair amount of control over the value in esi and this appears to come from offset 0x17dbb8 in the mkv file. This is a write "0080808000800080" anywhere in memory. A clever attacker can use this to create another overflow to achieve code execution or can try to partially overwrite sensitive pointers and other values.
Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/
PoC file can be downloaded here: