id summary reporter owner description type status priority component version resolution keywords cc blockedby blocking reproduced analyzed 1207 Possible Heap Corruption in avcodec daybreak "(17f84.181d4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avcodec-54.dll - avcodec_54!avpriv_dv_codec_profile+0x1657d: 6a2131cd 0fb63c18 movzx edi,byte ptr [eax+ebx] ds:002b:07c80120=?? 0:014:x86> $ r eax=07c7e320 ebx=00001e00 ecx=00000008 edx=00000000 esi=00000280 edi=00001dc2 eip=6a2131cd esp=0512fcd0 ebp=00001ec0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 avcodec_54!avpriv_dv_codec_profile+0x1657d: 6a2131cd 0fb63c18 movzx edi,byte ptr [eax+ebx] ds:002b:07c80120=?? 0:014:x86> !load winext\msec.dll 0:014:x86> !exploitable *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\msvcrt.dll - Exploitability Classification: UNKNOWN Recommended Bug Title: Read Access Violation starting at avcodec_54!avpriv_dv_codec_profile+0x000000000001657d (Hash=0x591e064e.0x597e0609) 0:014:x86> q quit: 0:011> !heap ************************************************************** * * * HEAP ERROR DETECTED * * * ************************************************************** Details: Error address: 078a2db8 Heap handle: 00700000 Error type heap_failure_entry_corruption (3) Stack trace: 771bf912: ntdll!RtlpAnalyzeHeapFailure+0x0000025b 7717aba7: ntdll!RtlpFreeHeap+0x000000c6 77123492: ntdll!RtlFreeHeap+0x00000142 763e98cd: msvcrt!free+0x000000cd STACK_TEXT: 04dffb64 771235a7 00700000 078a2db8 04dffc2c ntdll!RtlpCoalesceFreeBlocks+0x268 04dffc5c 77123492 078a2db8 078a2dc0 078a2dc0 ntdll!RtlpFreeHeap+0x1f4 04dffc7c 763e98cd 00700000 00000000 078a2dc0 ntdll!RtlFreeHeap+0x142 04dffcc8 6a218276 078a2dc0 00000020 6ab201bc msvcrt!free+0xcd WARNING: Stack unwind information not available. Following frames may be wrong. 04dffce8 6aa407af 07806d10 00000000 000002e4 avcodec_54!avpriv_dv_codec_profile+0x18c06 04dffcf8 6aa3f662 000002e4 ffffffff 00000001 avcodec_54!aver_isf_history+0x6d0df 04dffcfc 00000000 ffffffff 00000001 0000005a avcodec_54!aver_isf_history+0x6bf92 When run under Application Verifier the following error is caught: eax=000000d0 ebx=0afbaffd ecx=00000003 edx=6aaf3f29 esi=0afbb000 edi=6aaf41ab eip=763fd0c6 esp=0e6afc8c ebp=0e6afcb0 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 msvcrt!strcspn+0x2f: 763fd0c6 8a06 mov al,byte ptr [esi] ds:002b:0afbb000=?? 00 0e6afcb0 6a10ef31 msvcrt!strcspn+0x2f WARNING: Stack unwind information not available. Following frames may be wrong. 01 0e6afcc4 75750ac4 avcodec_54!avcodec_register_all+0x10581 Heap corruption can be exploitable to achieve remote code execution. It depends on several factors ranging from how much control the attacker has over the written data to how deterministic the heap is from the input within the crash file. Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/ A PoC file: http://w.rdtsc.net/ffmpegmkv/Unknown/BadHeap.zip Thanks, John Villamil" defect closed critical avcodec git-master fixed threads crash asp 1 0