Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#1208 closed defect (fixed)

EBP Modification

Reported by: John Villamil Owned by:
Priority: important Component: avcodec
Version: git-master Keywords:
Cc: ami_stuff@o2.pl Blocked By:
Blocking: Reproduced by developer: yes
Analyzed by developer: no

Description

Through operations within the application, it is possible for an attacker to provide input which can modify the value of EBP.

(54cc.670): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Users\owner\Desktop\ffmpeg-git-a4c22e3-win32-shared\bin\avcodec-54.dll -
avcodec_54!avcodec_register_all+0x100a0:
6a10dfc0 8b6d00 mov ebp,dword ptr [ebp] ss:002b:0000001c=????????
0:010:x86> $<dbgcomm.txt
0:010:x86> r
eax=00000020 ebx=00000000 ecx=020fbe28 edx=6aa8908e esi=00000127 edi=6aa892d0
eip=6a10dfc0 esp=04c0fd60 ebp=0000001c iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
avcodec_54!avcodec_register_all+0x100a0:
6a10dfc0 8b6d00 mov ebp,dword ptr [ebp] ss:002b:0000001c=????????
0:010:x86> !load winext\msec.dll
0:010:x86> !exploitable
* ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\KERNELBASE.dll -
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at avcodec_54!avcodec_register_all+0x00000000000100a0 (Hash=0x6b664953.0x20664953)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:010:x86> q
quit:

Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/

A PoC file:
http://w.rdtsc.net/ffmpegmkv/Unknown/EBP.zip

Thanks,
John Villamil

Change History (14)

comment:1 by Carl Eugen Hoyos, 12 years ago

The sample does not crash here and valgrind does not report any problems (except a mem leak).
Is the problem also reproducible with a static ffmpeg build? (Or one with debug symbols?)

Does the sample crash on windows with "ffmpeg -i 702121h264-TTA.mkvtest82.mkv -f null -" ?
If yes, please provide a backtrace, consider using a non-stripped binary.

comment:2 by John Villamil, 12 years ago

This also crashes on the latest static build from http://ffmpeg.zeranoe.com/builds/ tested on Windows 7. If there are symbols anywhere I'll use them but as of now I dont have a dev environment set up on this os.

0:012> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
06f0fd60 77460a91 image00400000+0x607e40
06f0fdcc 76541194 KERNELBASEWaitForSingleObjectEx+0x98
06f0fde8 0053979b kernel32WaitForSingleObjectExImplementation+0x75
06f0fe18 00404b9a image00400000+0x13979b
06f0ff18 00b08a78 image00400000+0x4b9a
06f0ff38 00b08ace image00400000+0x708a78
06f0ff48 76221287 image00400000+0x708ace
06f0ff80 76221328 msvcrt!_endthreadex+0x44
06f0ff88 7654339a msvcrt!_endthreadex+0xce
06f0ff94 77ad9ef2 kernel32BaseThreadInitThunk+0xe
06f0ffd4 77ad9ec5 ntdll__RtlUserThreadStart+0x70
06f0ffec 00000000 ntdll!_RtlUserThreadStart+0x1b

comment:3 by Michael Niedermayer, 12 years ago

Not reproduceable with address sanitizer either

comment:4 by Michael Niedermayer, 12 years ago

try disabling asm or try an old release (if old works then git bisect should point to the regressing commit)

comment:5 by Michael Niedermayer, 12 years ago

Cannot be reproduced with mingw64 + wine under linux

comment:6 by ami_stuff, 12 years ago

crashes here with:

(gdb) r -i 702121h264-TTA.mkvtest82.mkv -an -vn out.mkv
Starting program: d:\mingw\msys\1.0\ffmpeg-head-23fba3e\ffmpeg_g.exe -i 702121h2
64-TTA.mkvtest82.mkv -an -vn out.mkv
[New Thread 2872.0xb3c]
ffmpeg version 0.10.2.git-23fba3e Copyright (c) 2000-2012 the FFmpeg developers
  built on May  5 2012 19:57:06 with gcc 4.6.1
  configuration: --disable-ffprobe --enable-gpl
  libavutil      51. 49.100 / 51. 49.100
  libavcodec     54. 19.100 / 54. 19.100
  libavformat    54.  4.100 / 54.  4.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 72.104 /  2. 72.104
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
[tta @ 040a6d60] CRC error
[tta @ 040a6d60] Seek table missing or too small
[h264 @ 03b3cc00] concealing 846 DC, 846 AC, 846 MV errors
[h264 @ 03b3cc00] concealing 186 DC, 186 AC, 186 MV errors
[h264 @ 03b3cc00] concealing 459 DC, 459 AC, 459 MV errors
Input #0, matroska,webm, from '702121h264-TTA.mkvtest82.mkv':
  Metadata:
    creation_time   : 2006-12-23 15:47:16
  Duration: 00:24:10.95, start: 0.000000, bitrate: 17 kb/s
    Stream #0:0: Video: h264 (High), yuv420p, 848x480, SAR 1:1 DAR 53:30, 23.98
fps, 23.98 tbr, 1k tbn, 59.94 tbc (default)
    Stream #0:1: Audio: tta, 48000 Hz, stereo, s16 (default)
    Stream #0:2: Subtitle: ssa (default)
    Stream #0:3: Subtitle: ssa
File 'out.mkv' already exists. Overwrite ? [y/N] y
strptime() unavailable on this system, cannot convert the date string.
Output #0, matroska, to 'out.mkv':
  Metadata:
    creation_time   : 2006-12-23 15:47:16
    encoder         : Lavf54.4.100
    Stream #0:0: Subtitle: ssa (default)
Stream mapping:
  Stream #0:2 -> #0:0 (ass -> ass)
Press [q] to stop, [?] for help

Program received signal SIGSEGV, Segmentation fault.
free_section (ctx=0x0, section=0xcb7450) at libavcodec/ass_split.c:314
314             ptr   = *(void **)ptr;
(gdb) bt
#0  free_section (ctx=0x0, section=0xcb7450) at libavcodec/ass_split.c:314
#1  0x009fd5cf in ff_ass_split_dialog (ctx=0x0,
    buf=0x3b4a120 "Dialogue: 0,0:00:02.07,0:00:03.27,OP-00,NTP,0000,0000,0000,,Ń
\203č{\\fe134\\fnÚ╗Ĺń\275ô}┬Ě{\\r}Ń\203č{\\fe134\\fnÚ╗Ĺń\275ô}┬Ě{\\r}Ń\203čŃ\203
ęŃé»Ń\203źÔ\230ć\r\nDialogue: 0,0:00:02.07,0:00:03.27,OPńŞşŠľç-00,NTP,0000,0000,
0000,,ň«×{\\"..., cache=0, number=0x0) at libavcodec/ass_split.c:340
#2  0x008a9715 in ass_decode_frame (avctx=0x40acc60, data=0x22e8d0,
    got_sub_ptr=0x22e910, avpkt=0x22e800) at libavcodec/assdec.c:45
#3  0x00537266 in avcodec_decode_subtitle2 (avctx=0x40acc60, sub=0x22e8d0,
    got_sub_ptr=0x22e910, avpkt=0x22e800) at libavcodec/utils.c:1584
#4  0x00407dfd in transcode_subtitles (got_output=<optimized out>,
    pkt=<optimized out>, ist=<optimized out>) at ffmpeg.c:2677
#5  output_packet (ist=0x3b47960, pkt=0x22fbf0) at ffmpeg.c:2779
#6  0x0040ddd5 in transcode () at ffmpeg.c:3652
#7  0x00af9232 in main (argc=6, argv=0x3b40db0) at ffmpeg.c:5899

comment:7 by ami_stuff, 12 years ago

Cc: ami_stuff@o2.pl added

comment:8 by ami_stuff, 12 years ago

also with this, but I have no debug build with libmp3lame enabled to get bt:

C:\>ffmpeg -i 702121h264-TTA.mkvtest82.mkv -vn -sn out.avi
ffmpeg version N-40584-g0159032 Copyright (c) 2000-2012 the FFmpeg developers
  built on May 11 2012 02:38:34 with gcc 4.5.0 20100414 (Fedora MinGW 4.5.0-1.fc
14)
  configuration: --prefix=/var/www/users/research/ffmpeg/snapshots/build --arch=
x86 --target-os=mingw32 --cross-prefix=i686-pc-mingw32- --cc='ccache i686-pc-min
gw32-gcc' --enable-w32threads --enable-memalign-hack --enable-runtime-cpudetect
--enable-cross-compile --enable-static --disable-shared --extra-libs='-lws2_32 -
lwinmm' --extra-cflags='--static -I/var/www/users/research/ffmpeg/snapshots/buil
d/include' --extra-ldflags='-static -L/var/www/users/research/ffmpeg/snapshots/b
uild/lib' --enable-bzlib --enable-zlib --enable-gpl --enable-version3 --enable-n
onfree --enable-libx264 --enable-libspeex --enable-libtheora --enable-libvorbis
--enable-libfaac --enable-libxvid --enable-libopencore-amrnb --enable-libopencor
e-amrwb --enable-libmp3lame --enable-libvpx --disable-decoder=libvpx
  libavutil      51. 50.100 / 51. 50.100
  libavcodec     54. 21.101 / 54. 21.101
  libavformat    54.  4.100 / 54.  4.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 72.105 /  2. 72.105
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
[tta @ 0x2337560] CRC error
[tta @ 0x2337560] Seek table missing or too small
[h264 @ 0x1dccac0] concealing 846 DC, 846 AC, 846 MV errors
[h264 @ 0x1dccac0] concealing 186 DC, 186 AC, 186 MV errors
[h264 @ 0x1dccac0] concealing 459 DC, 459 AC, 459 MV errors
Input #0, matroska,webm, from '702121h264-TTA.mkvtest82.mkv':
  Metadata:
    creation_time   : 2006-12-23 15:47:16
  Duration: 00:24:10.95, start: 0.000000, bitrate: 17 kb/s
    Stream #0:0: Video: h264 (High), yuv420p, 848x480, SAR 1:1 DAR 53:30, 23.98
fps, 23.98 tbr, 1k tbn, 59.94 tbc (default)
    Stream #0:1: Audio: tta, 48000 Hz, stereo, s16 (default)
    Stream #0:2: Subtitle: ssa (default)
    Stream #0:3: Subtitle: ssa
CRC error
[tta @ 0x2337560] Seek table missing or too small
Output #0, avi, to 'out.avi':
  Metadata:
    creation_time   : 2006-12-23 15:47:16
    ISFT            : Lavf54.4.100
    Stream #0:0: Audio: mp3 (U[0][0][0] / 0x0055), 48000 Hz, stereo, s16 (defaul
t)
Stream mapping:
  Stream #0:1 -> #0:0 (tta -> libmp3lame)
Press [q] to stop, [?] for help
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[tta @ 0x2337560] CRC error
Error while decoding stream #0:1
[matroska,webm @ 0x1dcc5c0] Read error
[libmp3lame @ 0x233d020] Trying to remove 1152 samples, but que empty

comment:9 by Carl Eugen Hoyos, 12 years ago

Priority: criticalimportant
Reproduced by developer: set
Status: newopen
Version: unspecifiedgit-master
(gdb) r -i 702121h264-TTA.mkvtest82.mkv -vn out.mp3
Starting program: ffmpeg_g -i 702121h264-TTA.mkvtest82.mkv -vn out.mp3
[Thread debugging using libthread_db enabled]
[New Thread 0xb79bd6c0 (LWP 7569)]
ffmpeg version N-40602-g3b56324 Copyright (c) 2000-2012 the FFmpeg developers
  built on May 12 2012 09:13:48 with gcc 4.3.2
  configuration: --cc=/usr/local/gcc-4.3.2/bin/gcc --enable-gpl --enable-libopenjpeg --enable-libvorbis --enable-libspeex --enable-libmp3lame --enable-libtheora --extra-ldflags=-lm
  libavutil      51. 50.100 / 51. 50.100
  libavcodec     54. 21.101 / 54. 21.101
  libavformat    54.  4.100 / 54.  4.100
  libavdevice    53.  4.100 / 53.  4.100
  libavfilter     2. 72.105 /  2. 72.105
  libswscale      2.  1.100 /  2.  1.100
  libswresample   0. 11.100 /  0. 11.100
  libpostproc    52.  0.100 / 52.  0.100
[tta @ 0x8f15660] CRC error
[tta @ 0x8f15660] Seek table missing or too small
[h264 @ 0x8f074a0] concealing 846 DC, 846 AC, 846 MV errors
[h264 @ 0x8f074a0] concealing 186 DC, 186 AC, 186 MV errors
[h264 @ 0x8f074a0] concealing 459 DC, 459 AC, 459 MV errors
Input #0, matroska,webm, from '702121h264-TTA.mkvtest82.mkv':
  Metadata:
    creation_time   : 2006-12-23 15:47:16
  Duration: 00:24:10.95, start: 0.000000, bitrate: 17 kb/s
    Stream #0:0: Video: h264 (High), yuv420p, 848x480, SAR 1:1 DAR 53:30, 23.98 fps, 23.98 tbr, 1k tbn, 59.94 tbc (default)
    Stream #0:1: Audio: tta, 48000 Hz, stereo, s16 (default)
    Stream #0:2: Subtitle: ssa (default)
    Stream #0:3: Subtitle: ssa
[tta @ 0x8f15660] CRC error
[tta @ 0x8f15660] Seek table missing or too small
Output #0, mp3, to 'out.mp3':
  Metadata:
    TDEN            : 2006-12-23 15:47:16
    TSSE            : Lavf54.4.100
    Stream #0:0: Audio: mp3, 48000 Hz, stereo, s16 (default)
Stream mapping:
  Stream #0:1 -> #0:0 (tta -> libmp3lame)
Press [q] to stop, [?] for help
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[tta @ 0x8f15660] CRC error
Error while decoding stream #0:1
[matroska,webm @ 0x8eff3c0] Read error
[libmp3lame @ 0x8f57900] Trying to remove 1152 samples, but que empty

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb79bd6c0 (LWP 7569)]
0x086dd1b7 in ff_af_queue_remove (afq=0x8f5d0e4, nb_samples=1152, pts=0xbfa48780, duration=0xbfa487a8)
    at libavcodec/audio_frame_queue.c:103
103             if(afq->frames[0].pts != AV_NOPTS_VALUE)
(gdb) bt
#0  0x086dd1b7 in ff_af_queue_remove (afq=0x8f5d0e4, nb_samples=1152, pts=0xbfa48780, duration=0xbfa487a8)
    at libavcodec/audio_frame_queue.c:103
#1  0x084383ba in mp3lame_encode_frame (avctx=0x8f57900, avpkt=0xbfa48780, frame=0x0,
    got_packet_ptr=0xbfa48844) at libavcodec/libmp3lame.c:265
#2  0x0857cf9a in avcodec_encode_audio2 (avctx=0xbfa48844, avpkt=0xbfa48780, frame=0x0, got_packet_ptr=0x0)
    at libavcodec/utils.c:1106
#3  0x08056713 in encode_audio_frame (s=0x8f4fd80, ost=0x8f250a0, buf=0x0, buf_size=0) at ffmpeg.c:1535
#4  0x0805bb2f in transcode () at ffmpeg.c:2352
#5  0x0805ca96 in main (argc=150305024, argv=0x451) at ffmpeg.c:5931
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x86dd197 to 0x86dd1d7:
0x086dd197 <ff_af_queue_remove+343>:    decl   -0x74bfdbac(%ebx)
0x086dd19d <ff_af_queue_remove+349>:    inc    %edx
0x086dd19e <ff_af_queue_remove+350>:    adc    %ch,(%ecx)
0x086dd1a0 <ff_af_queue_remove+352>:    fadds  0x104289ed(%ebp)
0x086dd1a6 <ff_af_queue_remove+358>:    je     0x86dd1f8 <ff_af_queue_remove+440>
0x086dd1a8 <ff_af_queue_remove+360>:    test   %eax,%eax
0x086dd1aa <ff_af_queue_remove+362>:    jne    0x86dd2c4 <ff_af_queue_remove+644>
0x086dd1b0 <ff_af_queue_remove+368>:    mov    0x40(%esp),%ecx
0x086dd1b4 <ff_af_queue_remove+372>:    mov    0xc(%ecx),%esi
0x086dd1b7 <ff_af_queue_remove+375>:    mov    0x4(%esi),%ebx
0x086dd1ba <ff_af_queue_remove+378>:    mov    (%esi),%ecx
0x086dd1bc <ff_af_queue_remove+380>:    lea    -0x80000000(%ebx),%eax
0x086dd1c2 <ff_af_queue_remove+386>:    or     %ecx,%eax
0x086dd1c4 <ff_af_queue_remove+388>:    je     0x86dd1d6 <ff_af_queue_remove+406>
0x086dd1c6 <ff_af_queue_remove+390>:    mov    %ebp,%eax
0x086dd1c8 <ff_af_queue_remove+392>:    mov    %ebp,%edx
0x086dd1ca <ff_af_queue_remove+394>:    sar    $0x1f,%edx
0x086dd1cd <ff_af_queue_remove+397>:    add    %ecx,%eax
0x086dd1cf <ff_af_queue_remove+399>:    adc    %ebx,%edx
0x086dd1d1 <ff_af_queue_remove+401>:    mov    %eax,(%esi)
0x086dd1d3 <ff_af_queue_remove+403>:    mov    %edx,0x4(%esi)
0x086dd1d6 <ff_af_queue_remove+406>:    mov    0x40(%esp),%edx
End of assembler dump.
(gdb) info register
eax            0x0      0
ecx            0x8f5d0e4        150327524
edx            0x8f5d0e4        150327524
ebx            0x0      0
esp            0xbfa48490       0xbfa48490
ebp            0x480    0x480
esi            0x0      0
edi            0x8f57900        150305024
eip            0x86dd1b7        0x86dd1b7 <ff_af_queue_remove+375>
eflags         0x10246  [ PF ZF IF RF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

comment:10 by Michael Niedermayer, 12 years ago

Resolution: fixed
Status: openclosed

comment:11 by Jean-Pierre Gygax, 12 years ago

I'm using the latest Zeranoe builds and am still experiencing this AV (Windows 7, 32-bits). What does the fix consist of ?

in reply to:  11 comment:12 by Carl Eugen Hoyos, 12 years ago

Replying to jpgygax68:

I'm using the latest Zeranoe builds and am still experiencing this AV (Windows 7, 32-bits).

Then please provide a backtrace as explained on http://ffmpeg.org/bugreports.html, gdb works fine on Windows.

comment:13 by Roger Pack, 12 years ago

I was able to reproduce ffmpeg -i 702121h264-TTA.mkvtest82.mkv -an -vn out.mkv crashing with ffmpeg-20120409-git-6bfb304-win32-shared (64 bit windows 7). Seems to work ok now for me with ffmpeg-20120612-git-728f86e-win32-shared

Which version fails for you?

(Also would it be possible to get the hash of the commit that fixed it, just for curiosity sake?)

in reply to:  13 comment:14 by Carl Eugen Hoyos, 12 years ago

Replying to rogerdpack:

(Also would it be possible to get the hash of the commit that fixed it, just for curiosity sake?)

Please search git log for "ticket1208", there is more than one commit.

Note: See TracTickets for help on using tickets.