oss-sec mailing list archives
【Vulnerability Report 】 - from QIHU 360 China
From: 罗大龙 <luodalongde () gmail com>
Date: Sun, 4 Jan 2015 10:56:32 +0800
HI there, Greeting! This is Qinghao Tang from QIHU 360 company, China. I am a security researcher there. I'm writing to apply for a CVE ID, for a 0day vulnerability in ffmpeg. Please refer to below report. [requester info] name: Qinghao Tang company: QIHU 360 company, China email:luodalongde () gmail com [vendor info] name: ffmpeg email: ffmpeg-security () ffmpeg org website: http://www.ffmpeg.org/ [vulnerable ffmpeg version] 2.1.x [vulnerability Description] The seg_write_packet () function in ffmpeg-2.1.4/libavformat/segment.c exists a UAF (use after free) vulnerability , which allows remote attachers to cause a denial of service(invalid memory handler) or possibly execute arbitrary code by use a crafted video file. [vulnerability resaon] static int seg_write_packet(AVFormatContext *s, AVPacket *pkt) { SegmentContext *seg = s->priv_data; AVFormatContext *oc = seg->avf; .... //segment_start() -> segment_mux_init():s->priv_data->avf = avformat_alloc_context() //i.e. reset:s->priv_data->avf if ((ret = segment_start(s, seg->individual_header_trailer)) < 0) goto fail; .... fail: if (pkt->stream_index == seg->reference_stream_index) seg->frame_count++; if (ret < 0) { if (seg->list) avio_close(seg->list_pb); //oc has been freed before. avformat_free_context(oc); } return ret; } [crash info from /var/log/messages] Dec 24 15:41:26 w-r351 kernel: ffmpeg[8927]: segfault at 7fffffff0 ip 000000000057599e sp 00007fff0beacfc0 error 4 in ffmpeg[400000+a7b000] Dec 23 02:45:58 localhost kernel: ffmpeg[11883]: segfault at 8000 ip 0000000000ba45c2 sp 00007fff740292d0 error 4 in ffmpeg[400000+a7b000] Dec 17 01:18:31 w-r359 kernel: ffmpeg[17119]: segfault at 100000028ip 00000000005758de sp 00007fff4b1847a0 error 4 in ffmpeg[400000+a7b000] Dec 17 09:13:59 w-r351 kernel: ffmpeg[4451]: segfault at 1c8 ip 0000000000575949 sp 00007fff23065010 error 4 in ffmpeg[400000+a7b000] [patch] ffmpeg-2.1.6/libavformat/segment.c --- segment.c 2014-11-29 03:34:20.000000000 +0800 +++ segment.c.new 2014-12-25 10:21:24.257001354 +0800 @@ -713,7 +713,7 @@ if (ret < 0) { if (seg->list) avio_close(seg->list_pb); - avformat_free_context(oc); + avformat_free_context(seg->avf); } return ret; [vulnerability sample] The sample is a porn video. Download url:http://www.datafilehost.com/d/b384ec71 Thanks Merry Christmas and a happy new year!
Current thread:
- 【Vulnerability Report 】 - from QIHU 360 China 罗大龙 (Jan 03)