Bug ID 1022920
Summary VUL-0: ffmpeg: remote exploitaion results code execution [ 1 - libavformat/http.c ]
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker ---

Ref: http://seclists.org/oss-sec/2017/q1/245
===================================================
This letter is a result of research made by Emil Lerner <neex.emil () gmail com
<mailto:neex.emil () gmail com>> and 
Pavel Cheremushkin <paulcher () seclab cs msu su <mailto:paulcher () seclab cs
msu su>> and it is supposed to disclosed 
multiple issues we managed to find and exploit in FFmpeg software. Despite that
all vulnerabilities have been 
successfully patched by FFmpeg developers this letter is supposed to clarify
all these issues and show that they are 
exploitable.

--[ 1 - libavformat/http.c  ]

After executing of http_read_stream we read each http header, where we pass
"Transfer-Encoding: chunked��� header, and we 
come into http_buf_read function [1]. Due to incorrect use of strtoll function
and integer sizes (chunk_size in 
int64_t)[2], it was possible to pass negative chunk_size in chunk encoding, so
after computing final size using FFMIN 
function later on it would be passed as argument to avio_read function. This
results a heap-overflow which we found out 
to be exploitable, because overflowed buffer is allocated right next to the
AVIOContext structure[3]. Overflowing 
function pointer in this structure immediately results rip control and then
code execution.

* [1] -
https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/http.c#L1166 

* [2] -
https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/http.c#L1259 

* [3] -
https://github.com/FFmpeg/FFmpeg/blob/51020adcecf4004c1586a708d96acc6cbddd050a/libavformat/aviobuf.c#L899

This issue was fixed in
https://github.com/FFmpeg/FFmpeg/commit/2a05c8f813de6f2278827734bf8102291e7484aa 
===================================================

Comment on Ref: http://seclists.org/oss-sec/2017/q1/251
===================================================
In case anyone else is curious, here are the corresponding commits
reachable from the n3.2.2 release tag:

https://github.com/FFmpeg/FFmpeg/commit/0e0a413725e0221e1a9d0b7595e22bf57e23a09c
===================================================

(open-)SUSE: https://software.opensuse.org/package/ffmpeg

TW: 3.2.22
42.2: 3.2
42.1: 2.8.8


You are receiving this mail because: