VULNERABILITY DETAILS

FFMPEG MP4 decoder contains an Off-by-1 validation results in an allocation of size 0, followed by corrupting an arbitrary number of pointers out of bounds on the heap, where each is pointing to controllable or uninitialized data.

Additional details in attached file: mov_read_keys-heap_corruption-pmehta.readme.txt

https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavformat/mov.c?rcl=0&l=3145

static int mov_read_keys(MOVContext *c, AVIOContext *pb, MOVAtom atom)
{
    uint32_t count;
    uint32_t i;

    if (atom.size < 8)
        return 0;

    avio_skip(pb, 4);
    count = avio_rb32(pb);	// count = 0x3FFFFFFF
    if (count > UINT_MAX / sizeof(*c->meta_keys)) {  // <------------------------------------ This check should be    if(count >= UINT_MAX ...
        av_log(c->fc, AV_LOG_ERROR,
               "The 'keys' atom with the invalid key count: %d\n", count);
        return AVERROR_INVALIDDATA;
    }

    c->meta_keys_count = count + 1;  // 0x3FFFFFFF + 1 = 0x40000000
    c->meta_keys = av_mallocz(c->meta_keys_count * sizeof(*c->meta_keys)); // results in an allocation of size 0, followed by corrupting an arbitrary number of pointers out of bounds on the heap 

.text:1159A4DE                 push    edi             ; s
.text:1159A4DF                 call    _avio_rb32			<--------- read arbitrary DWORD
.text:1159A4E4                 mov     esi, eax
.text:1159A4E6                 add     esp, 10h
.text:1159A4E9                 mov     [ebp+var_4], esi
.text:1159A4EC                 cmp     esi, 3FFFFFFFh		<--------- Size check
.text:1159A4F2                 jbe     short loc_1159A511	<---------- JBE, should be JB
.text:1159A4F4                 mov     eax, [ebp+c]
.text:1159A4F7                 push    esi
.text:1159A4F8                 push    offset aTheKeysAtomWit ; "The 'keys' atom with the invalid key co"...
.text:1159A4FD                 push    10h             ; level
.text:1159A4FF                 push    dword ptr [eax+4] ; avcl
.text:1159A502                 call    _av_log
.text:1159A507                 add     esp, 10h
.text:1159A50A                 mov     eax, 0BEBBB1B7h
.text:1159A50F                 jmp     short loc_1159A590
.text:1159A511 ; ---------------------------------------------------------------------------
.text:1159A511
.text:1159A511 loc_1159A511:                           ; CODE XREF: mov_read_keys+3Cj
.text:1159A511                 push    ebx
.text:1159A512                 mov     ebx, [ebp+c]
.text:1159A515                 lea     eax, [esi+1]
.text:1159A518                 mov     [ebx+2Ch], eax
.text:1159A51B                 shl     eax, 2 			<-------------- Int wrap, allocate zero
.text:1159A51E                 push    eax             ; size
.text:1159A51F                 call    _av_mallocz		
.text:1159A524                 mov     [ebx+28h], eax



VERSION
Chrome Version: Version 53.0.2785.89 m stable (32-bit only)
Operating System: All, testing done on Windows

REPRODUCTION CASE
see attached file, mov_read_keys-heap_corruption-pmehta.mp4

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
Type of crash: tab
Crash State: Varies depending on exploitation techniques.

 

Deleted: mov_read_keys-heap_corruption-pmehta.readme.txt 6.9 KB

mov_read_keys-heap_corruption-pmehta.readme.txt 6.9 KB View Download