Carl Eugen Hoyos <[email protected]> added the comment:
$ valgrind ./ffmpeg_g -i exploit.bin
==24941== Memcheck, a memory error detector
==24941== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==24941== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==24941== Command: ./ffmpeg_g -i exploit.bin -f null -
==24941==
FFmpeg version SVN-r26041, Copyright (c) 2000-2010 the FFmpeg developers
built on Dec 17 2010 10:59:06 with gcc 4.4.5
configuration: --cc='/usr/local/gcc-4.4.5/bin/gcc -m32' --disable-asm
--disable-optimizations
libavutil 50.34. 0 / 50.34. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.99. 1 / 52.99. 1
libavformat 52.88. 0 / 52.88. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.69. 0 / 1.69. 0
libswscale 0.12. 0 / 0.12. 0
==24941== Invalid read of size 4
==24941== at 0x815E06C: put_pixels8_c (dsputil.c:1175)
==24941== by 0x815F177: put_pixels16_c (dsputil.c:1175)
==24941== by 0x82878C8: mpeg_motion_internal (mpegvideo_common.h:354)
==24941== by 0x82879EC: mpeg_motion (mpegvideo_common.h:377)
==24941== by 0x828A926: MPV_motion_internal (mpegvideo_common.h:825)
==24941== by 0x828ACD9: MPV_motion (mpegvideo_common.h:894)
==24941== by 0x8292250: MPV_decode_mb_internal (mpegvideo.c:1950)
==24941== by 0x8292F95: MPV_decode_mb (mpegvideo.c:2084)
==24941== by 0x825D834: mpeg_decode_slice (mpeg12.c:1795)
==24941== by 0x825F5FF: decode_chunks (mpeg12.c:2470)
==24941== by 0x825ED0A: mpeg_decode_frame (mpeg12.c:2272)
==24941== by 0x8330BBD: avcodec_decode_video2 (utils.c:626)
==24941== Address 0x2f0 is not stack'd, malloc'd or (recently) free'd
==24941==
==24941==
==24941== Process terminating with default action of signal 11 (SIGSEGV)
==24941== Access not within mapped region at address 0x2F0
==24941== at 0x815E06C: put_pixels8_c (dsputil.c:1175)
==24941== by 0x815F177: put_pixels16_c (dsputil.c:1175)
==24941== by 0x82878C8: mpeg_motion_internal (mpegvideo_common.h:354)
==24941== by 0x82879EC: mpeg_motion (mpegvideo_common.h:377)
==24941== by 0x828A926: MPV_motion_internal (mpegvideo_common.h:825)
==24941== by 0x828ACD9: MPV_motion (mpegvideo_common.h:894)
==24941== by 0x8292250: MPV_decode_mb_internal (mpegvideo.c:1950)
==24941== by 0x8292F95: MPV_decode_mb (mpegvideo.c:2084)
==24941== by 0x825D834: mpeg_decode_slice (mpeg12.c:1795)
==24941== by 0x825F5FF: decode_chunks (mpeg12.c:2470)
==24941== by 0x825ED0A: mpeg_decode_frame (mpeg12.c:2272)
==24941== by 0x8330BBD: avcodec_decode_video2 (utils.c:626)
==24941== If you believe this happened as a result of a stack
==24941== overflow in your program's main thread (unlikely but
==24941== possible), you can try to increase the size of the
==24941== main thread stack using the --main-stacksize= flag.
==24941== The main thread stack size used in this run was 8388608.
==24941==
==24941== HEAP SUMMARY:
==24941== in use at exit: 1,028,749 bytes in 41 blocks
==24941== total heap usage: 76 allocs, 35 frees, 1,167,109 bytes allocated
==24941==
==24941== LEAK SUMMARY:
==24941== definitely lost: 0 bytes in 0 blocks
==24941== indirectly lost: 0 bytes in 0 blocks
==24941== possibly lost: 0 bytes in 0 blocks
==24941== still reachable: 1,028,749 bytes in 41 blocks
==24941== suppressed: 0 bytes in 0 blocks
==24941== Rerun with --leak-check=full to see details of leaked memory
==24941==
==24941== For counts of detected and suppressed errors, rerun with: -v
==24941== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 3 from 3)
Segmentation fault
(gdb) r -i exploit.bin
Starting program: ffmpeg_g -i exploit.bin
FFmpeg version SVN-r26041, Copyright (c) 2000-2010 the FFmpeg developers
built on Dec 17 2010 10:59:06 with gcc 4.4.5
configuration: --cc='/usr/local/gcc-4.4.5/bin/gcc -m32' --disable-asm
--disable-optimizations
libavutil 50.34. 0 / 50.34. 0
libavcore 0.16. 0 / 0.16. 0
libavcodec 52.99. 1 / 52.99. 1
libavformat 52.88. 0 / 52.88. 0
libavdevice 52. 2. 2 / 52. 2. 2
libavfilter 1.69. 0 / 1.69. 0
libswscale 0.12. 0 / 0.12. 0
Program received signal SIGSEGV, Segmentation fault.
0x0815e06c in put_pixels8_c (
block=0xf7c9c220
"\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200\200"...,
pixels=0x2f0 <Address 0x2f0 out of bounds>, line_size=1504, h=16) at
libavcodec/dsputil.c:1175
1175 PIXOP2(put, op_put)
(gdb) bt
#0 0x0815e06c in put_pixels8_c (
block=0xf7c9c220 "\200\200"..., pixels=0x2f0 <Address 0x2f0 out of bounds>,
line_size=1504, h=16) at libavcodec/dsputil.c:1175
#1 0x0815f178 in put_pixels16_c (
block=0xf7c9c220 "\200\200"..., pixels=0x2f0 <Address 0x2f0 out of bounds>,
line_size=1504, h=16) at libavcodec/dsputil.c:1175
#2 0x082878c9 in mpeg_motion_internal (s=0x8ac4b00,
dest_y=0xf7c9c220 "\200\200"...,
dest_cb=0x8b0c7b0 "\200\200"...,
dest_cr=0x8b28670 "\200\200"..., field_based=0, bottom_field=0,
field_select=1, ref_picture=0x8ac4c14, pix_op=0x8ac5804, motion_x=0, motion_y=0,
h=16,
is_mpeg12=1, mb_y=0) at libavcodec/mpegvideo_common.h:354
#3 0x082879ed in mpeg_motion (s=0x8ac4b00,
dest_y=0xf7c9c220 "\200\200"...,
dest_cb=0x8b0c7b0 "\200\200"...,
dest_cr=0x8b28670 "\200\200"..., field_based=0, bottom_field=0,
field_select=1, ref_picture=0x8ac4c14, pix_op=0x8ac5804, motion_x=0, motion_y=0,
h=16,
mb_y=0) at libavcodec/mpegvideo_common.h:377
#4 0x0828a927 in MPV_motion_internal (s=0x8ac4b00,
dest_y=0xf7c9c220 "\200\200"...,
dest_cb=0x8b0c7b0 "\200\200"...,
dest_cr=0x8b28670 "\200\200"..., dir=0, ref_picture=0x8ac4c14,
pix_op=0x8ac5804, qpix_op=0x0, is_mpeg12=1) at libavcodec/mpegvideo_common.h:825
#5 0x0828acda in MPV_motion (s=0x8ac4b00,
dest_y=0xf7c9c220 "\200\200"...,
dest_cb=0x8b0c7b0 "\200\200"...,
dest_cr=0x8b28670 "\200\200"..., dir=0, ref_picture=0x8ac4c14,
pix_op=0x8ac5804, qpix_op=0x0) at libavcodec/mpegvideo_common.h:894
#6 0x08292251 in MPV_decode_mb_internal (s=0x8ac4b00, block=0x8b0a5d0,
lowres_flag=0, is_mpeg12=1) at libavcodec/mpegvideo.c:1950
#7 0x08292f96 in MPV_decode_mb (s=0x8ac4b00, block=0x8b0a5d0) at
libavcodec/mpegvideo.c:2084
#8 0x0825d835 in mpeg_decode_slice (s1=0x8ac4b00, mb_y=1, buf=0xffffc9e0,
buf_size=501) at libavcodec/mpeg12.c:1795
#9 0x0825f600 in decode_chunks (avctx=0x8ac4580, picture=0xffffcac0,
data_size=0xffffcb90, buf=0x8ad2d60 "", buf_size=11505) at
libavcodec/mpeg12.c:2470
#10 0x0825ed0b in mpeg_decode_frame (avctx=0x8ac4580, data=0xffffcac0,
data_size=0xffffcb90, avpkt=0x8aca760) at libavcodec/mpeg12.c:2272
#11 0x08330bbe in avcodec_decode_video2 (avctx=0x8ac4580, picture=0xffffcac0,
got_picture_ptr=0xffffcb90, avpkt=0x8aca760) at libavcodec/utils.c:626
#12 0x08110113 in try_decode_frame (st=0x8ac2cd0, avpkt=0x8aca760) at
libavformat/utils.c:2079
#13 0x08110fc0 in av_find_stream_info (ic=0x8ac1cc0) at libavformat/utils.c:2360
#14 0x0805552a in opt_input_file (filename=0xffffd26c
"/home/cehoyos/issues/issue2367/exploit.bin") at ffmpeg.c:3219
#15 0x08058aef in parse_options (argc=3, argv=0xffffd004, options=0x8444d60,
parse_arg_function=0x8056ce9 <opt_output_file>) at cmdutils.c:204
#16 0x0805823b in main (argc=3, argv=0xffffd004) at ffmpeg.c:4338
(gdb) disass $pc-32 $pc+32
Dump of assembler code from 0x815e04c to 0x815e08c:
0x0815e04c <put_pixels4_c+40>: add %ecx,0x453bfc45(%ebx)
0x0815e052 <put_pixels4_c+46>: adc $0x7c,%al
0x0815e054 <put_pixels4_c+48>: fmulp %st,%st(1)
0x0815e056 <put_pixels4_c+50>: ret
0x0815e057 <put_pixels8_c+0>: push %ebp
0x0815e058 <put_pixels8_c+1>: mov %esp,%ebp
0x0815e05a <put_pixels8_c+3>: sub $0x10,%esp
0x0815e05d <put_pixels8_c+6>: movl $0x0,-0x4(%ebp)
0x0815e064 <put_pixels8_c+13>: jmp 0x815e090 <put_pixels8_c+57>
0x0815e066 <put_pixels8_c+15>: mov 0x8(%ebp),%eax
0x0815e069 <put_pixels8_c+18>: mov 0xc(%ebp),%edx
0x0815e06c <put_pixels8_c+21>: mov (%edx),%edx
0x0815e06e <put_pixels8_c+23>: mov %edx,(%eax)
0x0815e070 <put_pixels8_c+25>: mov 0x8(%ebp),%eax
0x0815e073 <put_pixels8_c+28>: lea 0x4(%eax),%edx
0x0815e076 <put_pixels8_c+31>: mov 0xc(%ebp),%eax
0x0815e079 <put_pixels8_c+34>: add $0x4,%eax
0x0815e07c <put_pixels8_c+37>: mov (%eax),%eax
0x0815e07e <put_pixels8_c+39>: mov %eax,(%edx)
0x0815e080 <put_pixels8_c+41>: mov 0x10(%ebp),%eax
0x0815e083 <put_pixels8_c+44>: add %eax,0xc(%ebp)
0x0815e086 <put_pixels8_c+47>: mov 0x10(%ebp),%eax
0x0815e089 <put_pixels8_c+50>: add %eax,0x8(%ebp)
End of assembler dump.
(gdb) info registers
eax 0xf7c9c220 -137772512
ecx 0x0 0
edx 0x2f0 752
ebx 0x2f0 752
esp 0xffffc540 0xffffc540
ebp 0xffffc550 0xffffc550
esi 0x37e 894
edi 0x0 0
eip 0x815e06c 0x815e06c <put_pixels8_c+21>
eflags 0x10287 [ CF PF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
________________________________________________
FFmpeg issue tracker <[email protected]>
<https://roundup.ffmpeg.org/issue2367>
________________________________________________
