#1208 closed defect (fixed)
EBP Modification
| Reported by: | John Villamil | Owned by: | |
|---|---|---|---|
| Priority: | important | Component: | avcodec |
| Version: | git-master | Keywords: | |
| Cc: | ami_stuff@o2.pl | Blocked By: | |
| Blocking: | Reproduced by developer: | yes | |
| Analyzed by developer: | no |
Description
Through operations within the application, it is possible for an attacker to provide input which can modify the value of EBP.
(54cc.670): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avcodec-54.dll -
avcodec_54!avcodec_register_all+0x100a0:
6a10dfc0 8b6d00 mov ebp,dword ptr [ebp] ss:002b:0000001c=????????
0:010:x86> $<dbgcomm.txt
0:010:x86> r
eax=00000020 ebx=00000000 ecx=020fbe28 edx=6aa8908e esi=00000127 edi=6aa892d0
eip=6a10dfc0 esp=04c0fd60 ebp=0000001c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
avcodec_54!avcodec_register_all+0x100a0:
6a10dfc0 8b6d00 mov ebp,dword ptr [ebp] ss:002b:0000001c=????????
0:010:x86> !load winext\msec.dll
0:010:x86> !exploitable
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\KERNELBASE.dll -
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at avcodec_54!avcodec_register_all+0x00000000000100a0 (Hash=0x6b664953.0x20664953)
The data from the faulting address is later used to determine whether or not a branch is taken.
0:010:x86> q
quit:
Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/
A PoC file:
http://w.rdtsc.net/ffmpegmkv/Unknown/EBP.zip
Thanks,
John Villamil
Change History (14)
comment:1 by , 13 years ago
comment:2 by , 13 years ago
This also crashes on the latest static build from http://ffmpeg.zeranoe.com/builds/ tested on Windows 7. If there are symbols anywhere I'll use them but as of now I dont have a dev environment set up on this os.
0:012> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
06f0fd60 77460a91 image00400000+0x607e40
06f0fdcc 76541194 KERNELBASEWaitForSingleObjectEx+0x98
06f0fde8 0053979b kernel32WaitForSingleObjectExImplementation+0x75
06f0fe18 00404b9a image00400000+0x13979b
06f0ff18 00b08a78 image00400000+0x4b9a
06f0ff38 00b08ace image00400000+0x708a78
06f0ff48 76221287 image00400000+0x708ace
06f0ff80 76221328 msvcrt!_endthreadex+0x44
06f0ff88 7654339a msvcrt!_endthreadex+0xce
06f0ff94 77ad9ef2 kernel32BaseThreadInitThunk+0xe
06f0ffd4 77ad9ec5 ntdll__RtlUserThreadStart+0x70
06f0ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
comment:4 by , 13 years ago
try disabling asm or try an old release (if old works then git bisect should point to the regressing commit)
comment:6 by , 13 years ago
crashes here with:
(gdb) r -i 702121h264-TTA.mkvtest82.mkv -an -vn out.mkv
Starting program: d:\mingw\msys\1.0\ffmpeg-head-23fba3e\ffmpeg_g.exe -i 702121h2
64-TTA.mkvtest82.mkv -an -vn out.mkv
[New Thread 2872.0xb3c]
ffmpeg version 0.10.2.git-23fba3e Copyright (c) 2000-2012 the FFmpeg developers
built on May 5 2012 19:57:06 with gcc 4.6.1
configuration: --disable-ffprobe --enable-gpl
libavutil 51. 49.100 / 51. 49.100
libavcodec 54. 19.100 / 54. 19.100
libavformat 54. 4.100 / 54. 4.100
libavdevice 53. 4.100 / 53. 4.100
libavfilter 2. 72.104 / 2. 72.104
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 11.100 / 0. 11.100
libpostproc 52. 0.100 / 52. 0.100
[tta @ 040a6d60] CRC error
[tta @ 040a6d60] Seek table missing or too small
[h264 @ 03b3cc00] concealing 846 DC, 846 AC, 846 MV errors
[h264 @ 03b3cc00] concealing 186 DC, 186 AC, 186 MV errors
[h264 @ 03b3cc00] concealing 459 DC, 459 AC, 459 MV errors
Input #0, matroska,webm, from '702121h264-TTA.mkvtest82.mkv':
Metadata:
creation_time : 2006-12-23 15:47:16
Duration: 00:24:10.95, start: 0.000000, bitrate: 17 kb/s
Stream #0:0: Video: h264 (High), yuv420p, 848x480, SAR 1:1 DAR 53:30, 23.98
fps, 23.98 tbr, 1k tbn, 59.94 tbc (default)
Stream #0:1: Audio: tta, 48000 Hz, stereo, s16 (default)
Stream #0:2: Subtitle: ssa (default)
Stream #0:3: Subtitle: ssa
File 'out.mkv' already exists. Overwrite ? [y/N] y
strptime() unavailable on this system, cannot convert the date string.
Output #0, matroska, to 'out.mkv':
Metadata:
creation_time : 2006-12-23 15:47:16
encoder : Lavf54.4.100
Stream #0:0: Subtitle: ssa (default)
Stream mapping:
Stream #0:2 -> #0:0 (ass -> ass)
Press [q] to stop, [?] for help
Program received signal SIGSEGV, Segmentation fault.
free_section (ctx=0x0, section=0xcb7450) at libavcodec/ass_split.c:314
314 ptr = *(void **)ptr;
(gdb) bt
#0 free_section (ctx=0x0, section=0xcb7450) at libavcodec/ass_split.c:314
#1 0x009fd5cf in ff_ass_split_dialog (ctx=0x0,
buf=0x3b4a120 "Dialogue: 0,0:00:02.07,0:00:03.27,OP-00,NTP,0000,0000,0000,,Ń
\203č{\\fe134\\fnÚ╗Ĺń\275ô}┬Ě{\\r}Ń\203č{\\fe134\\fnÚ╗Ĺń\275ô}┬Ě{\\r}Ń\203čŃ\203
ęŃé»Ń\203źÔ\230ć\r\nDialogue: 0,0:00:02.07,0:00:03.27,OPńŞşŠľç-00,NTP,0000,0000,
0000,,ň«×{\\"..., cache=0, number=0x0) at libavcodec/ass_split.c:340
#2 0x008a9715 in ass_decode_frame (avctx=0x40acc60, data=0x22e8d0,
got_sub_ptr=0x22e910, avpkt=0x22e800) at libavcodec/assdec.c:45
#3 0x00537266 in avcodec_decode_subtitle2 (avctx=0x40acc60, sub=0x22e8d0,
got_sub_ptr=0x22e910, avpkt=0x22e800) at libavcodec/utils.c:1584
#4 0x00407dfd in transcode_subtitles (got_output=<optimized out>,
pkt=<optimized out>, ist=<optimized out>) at ffmpeg.c:2677
#5 output_packet (ist=0x3b47960, pkt=0x22fbf0) at ffmpeg.c:2779
#6 0x0040ddd5 in transcode () at ffmpeg.c:3652
#7 0x00af9232 in main (argc=6, argv=0x3b40db0) at ffmpeg.c:5899
comment:7 by , 13 years ago
| Cc: | added |
|---|
comment:8 by , 13 years ago
also with this, but I have no debug build with libmp3lame enabled to get bt:
C:\>ffmpeg -i 702121h264-TTA.mkvtest82.mkv -vn -sn out.avi
ffmpeg version N-40584-g0159032 Copyright (c) 2000-2012 the FFmpeg developers
built on May 11 2012 02:38:34 with gcc 4.5.0 20100414 (Fedora MinGW 4.5.0-1.fc
14)
configuration: --prefix=/var/www/users/research/ffmpeg/snapshots/build --arch=
x86 --target-os=mingw32 --cross-prefix=i686-pc-mingw32- --cc='ccache i686-pc-min
gw32-gcc' --enable-w32threads --enable-memalign-hack --enable-runtime-cpudetect
--enable-cross-compile --enable-static --disable-shared --extra-libs='-lws2_32 -
lwinmm' --extra-cflags='--static -I/var/www/users/research/ffmpeg/snapshots/buil
d/include' --extra-ldflags='-static -L/var/www/users/research/ffmpeg/snapshots/b
uild/lib' --enable-bzlib --enable-zlib --enable-gpl --enable-version3 --enable-n
onfree --enable-libx264 --enable-libspeex --enable-libtheora --enable-libvorbis
--enable-libfaac --enable-libxvid --enable-libopencore-amrnb --enable-libopencor
e-amrwb --enable-libmp3lame --enable-libvpx --disable-decoder=libvpx
libavutil 51. 50.100 / 51. 50.100
libavcodec 54. 21.101 / 54. 21.101
libavformat 54. 4.100 / 54. 4.100
libavdevice 53. 4.100 / 53. 4.100
libavfilter 2. 72.105 / 2. 72.105
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 11.100 / 0. 11.100
libpostproc 52. 0.100 / 52. 0.100
[tta @ 0x2337560] CRC error
[tta @ 0x2337560] Seek table missing or too small
[h264 @ 0x1dccac0] concealing 846 DC, 846 AC, 846 MV errors
[h264 @ 0x1dccac0] concealing 186 DC, 186 AC, 186 MV errors
[h264 @ 0x1dccac0] concealing 459 DC, 459 AC, 459 MV errors
Input #0, matroska,webm, from '702121h264-TTA.mkvtest82.mkv':
Metadata:
creation_time : 2006-12-23 15:47:16
Duration: 00:24:10.95, start: 0.000000, bitrate: 17 kb/s
Stream #0:0: Video: h264 (High), yuv420p, 848x480, SAR 1:1 DAR 53:30, 23.98
fps, 23.98 tbr, 1k tbn, 59.94 tbc (default)
Stream #0:1: Audio: tta, 48000 Hz, stereo, s16 (default)
Stream #0:2: Subtitle: ssa (default)
Stream #0:3: Subtitle: ssa
CRC error
[tta @ 0x2337560] Seek table missing or too small
Output #0, avi, to 'out.avi':
Metadata:
creation_time : 2006-12-23 15:47:16
ISFT : Lavf54.4.100
Stream #0:0: Audio: mp3 (U[0][0][0] / 0x0055), 48000 Hz, stereo, s16 (defaul
t)
Stream mapping:
Stream #0:1 -> #0:0 (tta -> libmp3lame)
Press [q] to stop, [?] for help
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[matroska,webm @ 0x1dcc5c0] Read error
[libmp3lame @ 0x233d020] Trying to remove 1152 samples, but que empty
comment:9 by , 13 years ago
| Priority: | critical → important |
|---|---|
| Reproduced by developer: | set |
| Status: | new → open |
| Version: | unspecified → git-master |
(gdb) r -i 702121h264-TTA.mkvtest82.mkv -vn out.mp3
Starting program: ffmpeg_g -i 702121h264-TTA.mkvtest82.mkv -vn out.mp3
[Thread debugging using libthread_db enabled]
[New Thread 0xb79bd6c0 (LWP 7569)]
ffmpeg version N-40602-g3b56324 Copyright (c) 2000-2012 the FFmpeg developers
built on May 12 2012 09:13:48 with gcc 4.3.2
configuration: --cc=/usr/local/gcc-4.3.2/bin/gcc --enable-gpl --enable-libopenjpeg --enable-libvorbis --enable-libspeex --enable-libmp3lame --enable-libtheora --extra-ldflags=-lm
libavutil 51. 50.100 / 51. 50.100
libavcodec 54. 21.101 / 54. 21.101
libavformat 54. 4.100 / 54. 4.100
libavdevice 53. 4.100 / 53. 4.100
libavfilter 2. 72.105 / 2. 72.105
libswscale 2. 1.100 / 2. 1.100
libswresample 0. 11.100 / 0. 11.100
libpostproc 52. 0.100 / 52. 0.100
[tta @ 0x8f15660] CRC error
[tta @ 0x8f15660] Seek table missing or too small
[h264 @ 0x8f074a0] concealing 846 DC, 846 AC, 846 MV errors
[h264 @ 0x8f074a0] concealing 186 DC, 186 AC, 186 MV errors
[h264 @ 0x8f074a0] concealing 459 DC, 459 AC, 459 MV errors
Input #0, matroska,webm, from '702121h264-TTA.mkvtest82.mkv':
Metadata:
creation_time : 2006-12-23 15:47:16
Duration: 00:24:10.95, start: 0.000000, bitrate: 17 kb/s
Stream #0:0: Video: h264 (High), yuv420p, 848x480, SAR 1:1 DAR 53:30, 23.98 fps, 23.98 tbr, 1k tbn, 59.94 tbc (default)
Stream #0:1: Audio: tta, 48000 Hz, stereo, s16 (default)
Stream #0:2: Subtitle: ssa (default)
Stream #0:3: Subtitle: ssa
[tta @ 0x8f15660] CRC error
[tta @ 0x8f15660] Seek table missing or too small
Output #0, mp3, to 'out.mp3':
Metadata:
TDEN : 2006-12-23 15:47:16
TSSE : Lavf54.4.100
Stream #0:0: Audio: mp3, 48000 Hz, stereo, s16 (default)
Stream mapping:
Stream #0:1 -> #0:0 (tta -> libmp3lame)
Press [q] to stop, [?] for help
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[matroska,webm @ 0x8eff3c0] Read error
[libmp3lame @ 0x8f57900] Trying to remove 1152 samples, but que empty
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb79bd6c0 (LWP 7569)]
0x086dd1b7 in ff_af_queue_remove (afq=0x8f5d0e4, nb_samples=1152, pts=0xbfa48780, duration=0xbfa487a8)
at libavcodec/audio_frame_queue.c:103
103 if(afq->frames[0].pts != AV_NOPTS_VALUE)
(gdb) bt
#0 0x086dd1b7 in ff_af_queue_remove (afq=0x8f5d0e4, nb_samples=1152, pts=0xbfa48780, duration=0xbfa487a8)
at libavcodec/audio_frame_queue.c:103
#1 0x084383ba in mp3lame_encode_frame (avctx=0x8f57900, avpkt=0xbfa48780, frame=0x0,
got_packet_ptr=0xbfa48844) at libavcodec/libmp3lame.c:265
#2 0x0857cf9a in avcodec_encode_audio2 (avctx=0xbfa48844, avpkt=0xbfa48780, frame=0x0, got_packet_ptr=0x0)
at libavcodec/utils.c:1106
#3 0x08056713 in encode_audio_frame (s=0x8f4fd80, ost=0x8f250a0, buf=0x0, buf_size=0) at ffmpeg.c:1535
#4 0x0805bb2f in transcode () at ffmpeg.c:2352
#5 0x0805ca96 in main (argc=150305024, argv=0x451) at ffmpeg.c:5931
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x86dd197 to 0x86dd1d7:
0x086dd197 <ff_af_queue_remove+343>: decl -0x74bfdbac(%ebx)
0x086dd19d <ff_af_queue_remove+349>: inc %edx
0x086dd19e <ff_af_queue_remove+350>: adc %ch,(%ecx)
0x086dd1a0 <ff_af_queue_remove+352>: fadds 0x104289ed(%ebp)
0x086dd1a6 <ff_af_queue_remove+358>: je 0x86dd1f8 <ff_af_queue_remove+440>
0x086dd1a8 <ff_af_queue_remove+360>: test %eax,%eax
0x086dd1aa <ff_af_queue_remove+362>: jne 0x86dd2c4 <ff_af_queue_remove+644>
0x086dd1b0 <ff_af_queue_remove+368>: mov 0x40(%esp),%ecx
0x086dd1b4 <ff_af_queue_remove+372>: mov 0xc(%ecx),%esi
0x086dd1b7 <ff_af_queue_remove+375>: mov 0x4(%esi),%ebx
0x086dd1ba <ff_af_queue_remove+378>: mov (%esi),%ecx
0x086dd1bc <ff_af_queue_remove+380>: lea -0x80000000(%ebx),%eax
0x086dd1c2 <ff_af_queue_remove+386>: or %ecx,%eax
0x086dd1c4 <ff_af_queue_remove+388>: je 0x86dd1d6 <ff_af_queue_remove+406>
0x086dd1c6 <ff_af_queue_remove+390>: mov %ebp,%eax
0x086dd1c8 <ff_af_queue_remove+392>: mov %ebp,%edx
0x086dd1ca <ff_af_queue_remove+394>: sar $0x1f,%edx
0x086dd1cd <ff_af_queue_remove+397>: add %ecx,%eax
0x086dd1cf <ff_af_queue_remove+399>: adc %ebx,%edx
0x086dd1d1 <ff_af_queue_remove+401>: mov %eax,(%esi)
0x086dd1d3 <ff_af_queue_remove+403>: mov %edx,0x4(%esi)
0x086dd1d6 <ff_af_queue_remove+406>: mov 0x40(%esp),%edx
End of assembler dump.
(gdb) info register
eax 0x0 0
ecx 0x8f5d0e4 150327524
edx 0x8f5d0e4 150327524
ebx 0x0 0
esp 0xbfa48490 0xbfa48490
ebp 0x480 0x480
esi 0x0 0
edi 0x8f57900 150305024
eip 0x86dd1b7 0x86dd1b7 <ff_af_queue_remove+375>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
comment:10 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | open → closed |
follow-up: 12 comment:11 by , 13 years ago
I'm using the latest Zeranoe builds and am still experiencing this AV (Windows 7, 32-bits). What does the fix consist of ?
comment:12 by , 13 years ago
Replying to jpgygax68:
I'm using the latest Zeranoe builds and am still experiencing this AV (Windows 7, 32-bits).
Then please provide a backtrace as explained on http://ffmpeg.org/bugreports.html, gdb works fine on Windows.
follow-up: 14 comment:13 by , 13 years ago
I was able to reproduce ffmpeg -i 702121h264-TTA.mkvtest82.mkv -an -vn out.mkv crashing with ffmpeg-20120409-git-6bfb304-win32-shared (64 bit windows 7). Seems to work ok now for me with ffmpeg-20120612-git-728f86e-win32-shared
Which version fails for you?
(Also would it be possible to get the hash of the commit that fixed it, just for curiosity sake?)
comment:14 by , 13 years ago
Replying to rogerdpack:
(Also would it be possible to get the hash of the commit that fixed it, just for curiosity sake?)
Please search git log for "ticket1208", there is more than one commit.
The sample does not crash here and valgrind does not report any problems (except a mem leak).
Is the problem also reproducible with a static ffmpeg build? (Or one with debug symbols?)
Does the sample crash on windows with "ffmpeg -i 702121h264-TTA.mkvtest82.mkv -f null -" ?
If yes, please provide a backtrace, consider using a non-stripped binary.