Controlled EDX in avformat
|Reported by:||John Villamil||Owned by:|
|Version:||git-master||Keywords:||crash SIGSEGV mkv|
|Blocking:||Reproduced by developer:||yes|
|Analyzed by developer:||no|
An attacker can control the value in EDX. Whether this issue is exploitable is not clear. I did not take a close look at any of these issues, but it looks pretty dangerous nonetheless.
(5d3c.3f14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avformat-54.dll -
699183f5 0fb632 movzx esi,byte ptr [edx] ds:002b:00000016=??
0:002:x86> !load winext\msec.dll
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at avformat_54!avio_rb16+0x0000000000000015 (Hash=0x676f5b27.0x64114365)
The data from the faulting address is later used to determine whether or not a branch is taken.
Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/