id,summary,reporter,owner,description,type,status,priority,component,version,resolution,keywords,cc,blockedby,blocking,reproduced,analyzed
1208,EBP Modification,daybreak,,"Through operations within the application, it is possible for an attacker to provide input which can modify the value of EBP.

(54cc.670): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avcodec-54.dll - 
avcodec_54!avcodec_register_all+0x100a0:
6a10dfc0 8b6d00          mov     ebp,dword ptr [ebp]  ss:002b:0000001c=????????
0:010:x86> $<dbgcomm.txt
0:010:x86> r
eax=00000020 ebx=00000000 ecx=020fbe28 edx=6aa8908e esi=00000127 edi=6aa892d0
eip=6a10dfc0 esp=04c0fd60 ebp=0000001c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
avcodec_54!avcodec_register_all+0x100a0:
6a10dfc0 8b6d00          mov     ebp,dword ptr [ebp]  ss:002b:0000001c=????????
0:010:x86> !load winext\msec.dll
0:010:x86> !exploitable
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\windows\syswow64\KERNELBASE.dll - 
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at avcodec_54!avcodec_register_all+0x00000000000100a0 (Hash=0x6b664953.0x20664953)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:010:x86> q
quit:


Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/

A PoC file:
http://w.rdtsc.net/ffmpegmkv/Unknown/EBP.zip

Thanks,
John Villamil",defect,closed,important,avcodec,git-master,fixed,,ami_stuff@…,,,1,0