Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#7860 closed defect (fixed)

VLC media player 2.0.4 suffers from buffer overflow

Reported by: coolkaveh Owned by: jb
Priority: high Milestone: 2.0.5
Component: Build system: Contribs Version: master git
Severity: blocker Keywords:
Cc: cehoyos Difficulty: unknown
Platform(s): all Work status: Not started

Description (last modified by jb)

buffer overflow during the handling of the when handling malicious swf file

------------------------------------------------------------------------(7b4.a14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0
eip=75737574 esp=0196fb5c ebp=00000002 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
Missing image name, possible paged-out or corrupt data.
75737574 ??              ???
0:009>!exploitable -v
eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0
eip=75737574 esp=0196fb5c ebp=00000002 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210206
75737574 ??              ???
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll - 
Exception Faulting Address: 0x75737574
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation
 
Exception Hash (Major/Minor): 0x307d391a.0x6f0f1537
 
Stack Trace:
Unknown
libvlccore!vout_ReleasePicture+0x32
libavcodec_plugin!vlc_entry_license__1_2_0l+0xe09
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf26b
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdee0e
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf37b
ntdll!RtlFreeHeap+0x18b
Instruction Address: 0x0000000075737574
 
Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000075737574 called from libvlccore!vout_ReleasePicture+0x0000000000000032 (Hash=0x307d391a.0x6f0f1537)

User mode DEP access violations are exploitable. ################################################################################ Proof of concept included. http://www39.zippyshare.com/v/91522221/file.html

Attachments (3)

poc (2).rar (77.6 KB) - added by coolkaveh 3 years ago.
New optomized crash
app.php (708 bytes) - added by Slavon 15 months ago.
www.buzzfeed.com
go-btn.gif (564 bytes) - added by Slavon 14 months ago.
recumbent bike http://exerciserbikes.blog.fc2.com/

Download all attachments as: .zip

Change History (16)

comment:1 Changed 3 years ago by jb

  • Component changed from Video: X11 to Demuxers
  • Description modified (diff)
  • Owner changed from courmisch to fenrir

comment:2 Changed 3 years ago by jb

  • Description modified (diff)

comment:3 Changed 3 years ago by jb

  • Milestone changed from Bugs paradize to 2.0.5
  • Severity changed from critical to blocker

comment:4 Changed 3 years ago by courmisch

  • Component changed from Demuxers to Decoders

comment:5 Changed 3 years ago by courmisch

This is a bug in lavc H.263 decoder. Oddly, VLC displays a much less corrupted picture than avplay, while avplay does not exhibit any uninitialized memory usage:

==13903== Thread 6:
==13903== Conditional jump or move depends on uninitialised value(s)
==13903==    at 0x5EE9E66: ff_er_frame_end (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x5F177B3: ff_h263_decode_frame (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x61C74DD: avcodec_decode_video2 (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x9F56685: DecodeVideo (video.c:590)
==13903==    by 0x4221E28: DecoderDecodeVideo (decoder.c:1483)
==13903==    by 0x4222FEA: DecoderProcess (decoder.c:1845)
==13903==    by 0x42230F1: DecoderThread (decoder.c:939)
==13903==    by 0x406AC38: start_thread (pthread_create.c:304)
==13903==    by 0x415778D: clone (clone.S:130)
==13903== 

==13903== Conditional jump or move depends on uninitialised value(s)
==13903==    at 0x5D4D3FF: h_block_filter (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x5EE8AFF: ff_er_frame_end (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x5F177B3: ff_h263_decode_frame (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x61C74DD: avcodec_decode_video2 (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x9F56685: DecodeVideo (video.c:590)
==13903==    by 0x4221E28: DecoderDecodeVideo (decoder.c:1483)
==13903==    by 0x4222FEA: DecoderProcess (decoder.c:1845)
==13903==    by 0x42230F1: DecoderThread (decoder.c:939)
==13903==    by 0x406AC38: start_thread (pthread_create.c:304)
==13903==    by 0x415778D: clone (clone.S:130)
==13903== 
==13903== Use of uninitialised value of size 4
==13903==    at 0x5D4D428: h_block_filter (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x5EE8AFF: ff_er_frame_end (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x5F177B3: ff_h263_decode_frame (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x61C74DD: avcodec_decode_video2 (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x9F56685: DecodeVideo (video.c:590)
==13903==    by 0x4221E28: DecoderDecodeVideo (decoder.c:1483)
==13903==    by 0x4222FEA: DecoderProcess (decoder.c:1845)
==13903==    by 0x42230F1: DecoderThread (decoder.c:939)
==13903==    by 0x406AC38: start_thread (pthread_create.c:304)
==13903==    by 0x415778D: clone (clone.S:130)
==13903== 
==13903== Use of uninitialised value of size 4
==13903==    at 0x5D4D438: h_block_filter (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x5EE8AFF: ff_er_frame_end (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x5F177B3: ff_h263_decode_frame (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x61C74DD: avcodec_decode_video2 (in /usr/lib/i386-linux-gnu/i686/cmov/libavcodec.so.53.35.0)
==13903==    by 0x9F56685: DecodeVideo (video.c:590)
==13903==    by 0x4221E28: DecoderDecodeVideo (decoder.c:1483)
==13903==    by 0x4222FEA: DecoderProcess (decoder.c:1845)
==13903==    by 0x42230F1: DecoderThread (decoder.c:939)
==13903==    by 0x406AC38: start_thread (pthread_create.c:304)
==13903==    by 0x415778D: clone (clone.S:130)
==13903== 

(does not cause any buffer overflow here)

Changed 3 years ago by coolkaveh

New optomized crash

comment:6 Changed 3 years ago by coolkaveh

I have optimize crashes As far as it shows EIP is overwritten Please review it in windows environment Malformed file attached

(900.f58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=94869281 ebx=00e45068 ecx=7ffd5000 edx=00e452cc esi=071e9960 edi=000007c0
eip=94869281 esp=01b1fb5c ebp=00000002 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
94869281 ??              ???
0:009> r;!exploitable -v;q
eax=94869281 ebx=00e45068 ecx=7ffd5000 edx=00e452cc esi=071e9960 edi=000007c0
eip=94869281 esp=01b1fb5c ebp=00000002 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
94869281 ??              ???
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - 
Exception Faulting Address: 0xffffffff94869281
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x307d391a.0x56296345

Stack Trace:
Unknown
libvlccore!vout_ReleasePicture+0x32
libavcodec_plugin!vlc_entry_license__1_2_0l+0xe09
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf26b
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdee0e
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf37b
ntdll!RtlInitializeCriticalSection+0x348
libavcodec_plugin!vlc_entry_license__1_2_0l+0x226557
kernel32!CreateFileMappingA+0x86
kernel32!CreateFileMappingA+0xc8
msvcrt!free+0xc8
ntdll!NtReleaseSemaphore+0xc
kernel32!ReleaseSemaphore+0x14
libvlccore!vlc_sem_post+0x20
libavcodec_plugin!vlc_entry_license__1_2_0l+0x1fa2
ntdll!ZwClearEvent+0xc
Instruction Address: 0xffffffff94869281

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0xffffffff94869281 called from libvlccore!vout_ReleasePicture+0x0000000000000032 (Hash=0x307d391a.0x56296345)

User mode DEP access violations are exploitable.

Last edited 3 years ago by jb (previous) (diff)

comment:8 Changed 3 years ago by jb

  • Component changed from Decoders to Build system: Contribs
  • Owner changed from fenrir to jb
  • Platform(s) changed from Windows to all
  • Status changed from new to assigned

comment:9 Changed 3 years ago by jb

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:10 Changed 3 years ago by евгений щербина

I'm not sure if it is connected but I've encountered the same Access violation a few times with: libqt4_plugin!vlc_entry_license1_2_0 and libmkv_plugin!vlc_entry_license2_1_0

Since vlc_entry_license is shown in all cases I think it is somehow connected. I've tested it with vlac 2.05 as well as with the latest vlc-2.1.0-git-20130103-0404 from http://nightlies.videolan.org/build/win64/vlc-2.1.0-20130103-0404/

comment:11 Changed 3 years ago by евгений щербина

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:12 Changed 3 years ago by jb

  • Resolution set to fixed
  • Status changed from reopened to closed

nightly builds don't have latest codecs.

comment:13 Changed 2 years ago by cehoyos

  • Cc cehoyos added

Changed 15 months ago by Slavon

Changed 14 months ago by Slavon

Note: See TracTickets for help on using tickets.