Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 18 Nov 2016 16:52:10 +0800
From: "wykcomputer@...il.com" <wykcomputer@...il.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: [Bug Report] Vulnerability in libbpg

Hello,
    I'm a security researcher. And I find one vulnerability in libbpg, this is a double-free issue, which can lead to remote-code-execution.
    I have reported it to the author of libbpg, but no responding, so I report it to you.
    The PoC file is the attachment.
    
    Run the command ./bpgdec PoC.bpg, we wil get the crash log as follows.    

    Crash Log£º
Program received signal SIGSEGV, Segmentation fault.
0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
111     b = (*buf)->buffer;
(gdb) bt
#0  0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
#1  0x000000000042a8fa in av_frame_unref (frame=0x64bb30) at libavutil/frame.c:101
#2  0x000000000042a8b3 in av_frame_free (frame=0x638020) at libavutil/frame.c:92
#3  0x0000000000406ec7 in bpg_decoder_decode (img=0x638010, buf=0x638250 "BPG\373\026\t\201\026\201\026", buf_len=2412) at libbpg.c:1890


    After reading the libbpg source code, I think it's a double-free issue.
    Double Free:
int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len)
//...
ret = hevc_decode_start(img, buf + idx, buf_len - idx,
width, height, img->format, bit_depth, has_alpha); 
|
|->ret = hevc_decode_frame_internal(s, abuf, cbuf, buf, buf_len, 1);
|
|->ret = hevc_write_frame(s->dec_ctx, s->frame, cbuf->buf, cbuf->len);
|
|->len = avcodec_decode_video2(avctx, frame, &got_frame, &avpkt);
|
|->av_frame_unref(picture); //the first free

av_frame_free(&img->frame); //the second free in int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len)

    Fix:
Avoid double free, choose one of the first and second free. Maybe remove the second one. 



wykcomputer@...il.com

[ CONTENT OF TYPE text/html SKIPPED ]

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ