[libav-bugs] [Bug 1114] New: Libav - avcodec-58.dll - Heap overflow - Motion JPEG Video

bugzilla at libav.org bugzilla at libav.org
Wed Jan 31 01:58:05 CET 2018


            Bug ID: 1114
           Summary: Libav - avcodec-58.dll - Heap overflow - Motion JPEG
           Product: Libav
           Version: git HEAD
          Hardware: X86
                OS: Windows
            Status: NEW
          Severity: normal
          Priority: ---
         Component: libavcodec
          Assignee: bugzilla at libav.org
          Reporter: jplopezy at gmail.com

Created attachment 706
  --> https://bugzilla.libav.org/attachment.cgi?id=706&action=edit
testcases and windbg

I was doing some fuzzing with the version of libav (to date) for windows
(windows 10 to date) and I found several vulnerabilities.

One of them is this, using a mov video file, with the codec (Motion JPEG Video)
At first I think it's a heap overflow.

After test with avplay.exe from last libav version with the testcase this

 Hash Usage : Stack Trace:
Major+Minor : avcodec_58!av_parser_close+0x1c221
Major+Minor : avcodec_58!av_d3d11va_alloc_context+0xe526
Major+Minor : avcodec_58!avcodec_send_packet+0xe8
Major+Minor : avcodec_58!avcodec_send_packet+0x170
Major+Minor : avplay+0xb030
Minor       : avplay!SDL_Delay+0x2f9
Minor       : avplay!SDL_EventState+0x354
Minor       : avplay!SDL_SetTimer+0x231
Minor       : msvcrt!beginthreadex+0x126
Minor       : msvcrt!endthreadex+0xac
Minor       : KERNEL32!BaseThreadInitThunk+0x14
Minor       : ntdll!RtlUserThreadStart+0x21
Instruction Address: 0x0000000065c14d81

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.libav.org/pipermail/libav-bugs/attachments/20180131/c8b68693/attachment.html>

More information about the libav-bugs mailing list