Possible Heap Corruption in avcodec

[John Villamil]

(17f84.181d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avcodec-54.dll -
avcodec_54!avpriv_dv_codec_profile+0x1657d:
6a2131cd 0fb63c18 movzx edi,byte ptr [eax+ebx] ds:002b:07c80120=??
0:014:x86> $<dbgcomm.txt
0:014:x86> r
eax=07c7e320 ebx=00001e00 ecx=00000008 edx=00000000 esi=00000280 edi=00001dc2
eip=6a2131cd esp=0512fcd0 ebp=00001ec0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
avcodec_54!avpriv_dv_codec_profile+0x1657d:
6a2131cd 0fb63c18 movzx edi,byte ptr [eax+ebx] ds:002b:07c80120=??
0:014:x86> !load winext\msec.dll
0:014:x86> !exploitable
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\msvcrt.dll -
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at avcodec_54!avpriv_dv_codec_profile+0x000000000001657d (Hash=0x591e064e.0x597e0609)
0:014:x86> q
quit:

0:011> !heap

• *
• HEAP ERROR DETECTED *
• *

Details:

Error address: 078a2db8
Heap handle: 00700000
Error type heap_failure_entry_corruption (3)
Stack trace:

771bf912: ntdllRtlpAnalyzeHeapFailure+0x0000025b
7717aba7: ntdllRtlpFreeHeap+0x000000c6
77123492: ntdllRtlFreeHeap+0x00000142
763e98cd: msvcrt!free+0x000000cd

STACK_TEXT:
04dffb64 771235a7 00700000 078a2db8 04dffc2c ntdllRtlpCoalesceFreeBlocks+0x268
04dffc5c 77123492 078a2db8 078a2dc0 078a2dc0 ntdllRtlpFreeHeap+0x1f4
04dffc7c 763e98cd 00700000 00000000 078a2dc0 ntdllRtlFreeHeap+0x142
04dffcc8 6a218276 078a2dc0 00000020 6ab201bc msvcrt!free+0xcd
WARNING: Stack unwind information not available. Following frames may be wrong.
04dffce8 6aa407af 07806d10 00000000 000002e4 avcodec_54!avpriv_dv_codec_profile+0x18c06
04dffcf8 6aa3f662 000002e4 ffffffff 00000001 avcodec_54!aver_isf_history+0x6d0df
04dffcfc 00000000 ffffffff 00000001 0000005a avcodec_54!aver_isf_history+0x6bf92

When run under Application Verifier the following error is caught:

eax=000000d0 ebx=0afbaffd ecx=00000003 edx=6aaf3f29 esi=0afbb000 edi=6aaf41ab
eip=763fd0c6 esp=0e6afc8c ebp=0e6afcb0 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
msvcrt!strcspn+0x2f:
763fd0c6 8a06 mov al,byte ptr [esi] ds:002b:0afbb000=??

00 0e6afcb0 6a10ef31 msvcrt!strcspn+0x2f
WARNING: Stack unwind information not available. Following frames may be wrong.
01 0e6afcc4 75750ac4 avcodec_54!avcodec_register_all+0x10581

Heap corruption can be exploitable to achieve remote code execution. It depends on several factors ranging from how much control the attacker has over the written data to how deterministic the heap is from the input within the crash file.

Tested on the shared build from 2012-04-09 found at ​http://ffmpeg.zeranoe.com/builds/

A PoC file:
​http://w.rdtsc.net/ffmpegmkv/Unknown/BadHeap.zip

Thanks,
John Villamil

[Carl Eugen Hoyos]

The sample does not crash here and valgrind does not report any problems (except a mem leak).
Is the problem also reproducible with a static ffmpeg build? (Or one with debug symbols?)

Does the sample crash on windows with "ffmpeg -i 500233mewmew-vorbis-ssa.mkvtest579.mkv -f null -" ?
If yes, please provide a backtrace, consider using a non-stripped binary.

[John Villamil]

This also crashes on the latest static build from ​http://ffmpeg.zeranoe.com/builds/ tested on Windows 7.

0:011> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
065efb08 005eeec1 image00400000+0x4e0a41
00000000 00000000 image00400000+0x1eeec1

[Carl Eugen Hoyos]

Please consider using gdb (it works fine on windows).

[Michael Niedermayer]

Reproduceable with address sanitizer, needs multithreading though, no issues with -threads 1
the crash happens in guess_mv() due to out of array read. I dont know if this is the same issue as reported though