New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 23189 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner: ----
Closed: Oct 2009
Cc:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

avcodec-52.dll is not marked NX, SafeSEH or DBCompat

Project Member Reported by cpu@chromium.org, Sep 27 2009

Issue description

avcodec-52.dll is compiled with settings that makes it trivial for exploitation in case of a buffer overflow or other bugs.

1-Not NX compatible: The no-execute flag is not set for heap or stack, so 
malicious code can execute from regular stack.

2-Not using SafeSEH: malicious code can inject fake exceptions frame and 
cause an exception to happen thereby gaining control of execution despite 
stack cannaries (/GS) being present.

3-Not Dynamic Base compatible. In Vista and Win7 the DLL will not 
participate of address space randomization making 'predictable addresses' 
attack feasible.

 

Comment 1 by cpu@chromium.org, Sep 27 2009

Same goes for avformat-52.dll and avutil-50.dll, so I am not going to make 3 bugs.


Note: when testing the fix make sure the windows machine has NX enabled systemwide. I 
believe Vista has it but for XP you have to change a setting.

Sounds like something Andrew could take care of without too much trouble? :)
Labels: Video HTML5
This is because we build with gcc.  I don't think this can be fixed without rewriting 
most of FFmpeg to compile under MSVC...
Do these MSVC flags involve fundamental compilation differences? For at least the NX 
case, surely it's just a marker bit or tag in the DLL? Perhaps there exists a command-
line tool to manipulate built DLLs to twiddle the bits?
cpu@ would know more than me here...

Comment 5 by mar...@chromium.org, Sep 28 2009

Status: Available
Both #1 and #3 are simple editbin commands.
editbin /NXCOMPAT /DYNAMICBASE foo.dll

With #1 and #3 fixed, #2 is less a problem.
way back when I did my investigation on SEH, I found nasm could add SEH by twiddling 
some bits:
http://www.nasm.us/doc/nasmdoc7.html#section-7.5.2

I can add editbin to our compiling process and check in updated binaries ASAP


Comment 7 by cpu@chromium.org, Sep 28 2009

I am surprised that GCC does not have even the NX flag.

It might be that the crt is not compatible with this option?

Status: Assigned
Looking into this ASAP and will get binaries ready for all channels by EOD
Status: Started
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=27809 

------------------------------------------------------------------------
r27809 | scherkus@chromium.org | 2009-10-01 17:31:03 -0700 (Thu, 01 Oct 2009) | 7 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=27809&r2=27808

Rolling DEPS to include latest FFmpeg binaries for Windows.

TBR=cpu
BUG= 23189 

Review URL: http://codereview.chromium.org/251063

------------------------------------------------------------------------

All DEPS have been rolled except for 195, which has the CL prepared but we're waiting 
until Monday's push to get it checked in.
Status: Fixed
Committed for 195 -- will be included in the next stable push.
Labels: -Restrict-View-SecurityTeam
Labels: SecSeverity-Low
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update: fuzzily determined that this security bug affected a stable release.
Project Member

Comment 17 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
Owner: ----
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 10 2013

Labels: -SecSeverity-Low -Type-Security -SecImpacts-Stable Security-Severity-Low Security-Impact-Stable Type-Bug-Security
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 20 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Labels: allpublic

Sign in to add a comment