alt Hacker NewsMaybe I'm missing something but the ffmpeg buffer "exploit" involves passing a custom exploited buffer callback to parse a RASC file that presumably has been crafted to contain a packet that can exploit the custom buffer passed in? I don't see how this would be used in practice in the wild as to achieve the first step (custom buffer invocation) would require you to already have access to the machine to even invoke ffmpeg with it?
Like yes there is a heap OOB issue in an incredibly old file format, but without already having arguably compromised access to a machine, exploiting it for RCE seems impossible?
The custom get_buffer2 path is not something the attacker needs shell access to invoke. It is a normal public libavcodec API used by applications embedding FFmpeg. The attacker’s input is still just the crafted RASC/AVI media. The target application invokes FFmpeg/libavcodec during normal media processing. The PoC uses a custom buffer provider to make the heap layout deterministic and to place a demonstrable callback pointer next to the decoded PAL8 plane. That proves the bug can redirect control flow in a valid libavcodec decode flow. It does not mean the exact same file will pop calc under stock ffmpeg -i everywhere, but definitely not impossible. I popped a few shells today with it on a few websites for testing purposes. Reported it to them all, of course.