Memory corruption in wmv parsing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ffmpeg (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
vlc (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: vlc
I've attached a fuzzed Windows Media file that crashes VLC due to an out-of-bounds write. Based on my testing, the offset at which this write is performed is controllable by manipulating the contents of the file, suggesting that this is an exploitable memory corruption vulnerability.
The crash occurs in ffmpeg-
for(i=0; i<s->mb_num; i++){
const int mb_xy= s->mb_index2xy[ i ];
int f=0;
int error= s->error_
* fixed[mb_xy]= f;
}
I wasn't sure if it would be more appropriate to file a bug here or with ffmpeg, since it's unclear as to whether the issue is due to a bug in ffmpeg or improper invocation of ffmpeg library functions. I've confirmed this issue on Lucid (VLC 1.0.6) as well as VLC upstream (1.1.5).
Related branches
Changed in vlc (Ubuntu): | |
status: | Confirmed → Invalid |
Please use CVE-2010-3908 for this issue.
Note that using ffmpeg directly, current version errors out, but ffmpeg 0.5.1 hits 100% CPU.
Note that this does not crash on maverick and later, so that would point more to an issue in ffmpeg triggering the vlc crash.