Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 18 Nov 2016 16:52:10 +0800
From: "wykcomputer@...il.com" <wykcomputer@...il.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: [Bug Report] Vulnerability in libbpg

Hello,
    I'm a security researcher. And I find one vulnerability in libbpg, this is a double-free issue, which can lead to remote-code-execution.
    I have reported it to the author of libbpg, but no responding, so I report it to you.
    The PoC file is the attachment.
    
    Run the command ./bpgdec PoC.bpg, we wil get the crash log as follows.    

    Crash Log：
Program received signal SIGSEGV, Segmentation fault.
0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
111     b = (*buf)->buffer;
(gdb) bt
#0  0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
#1  0x000000000042a8fa in av_frame_unref (frame=0x64bb30) at libavutil/frame.c:101
#2  0x000000000042a8b3 in av_frame_free (frame=0x638020) at libavutil/frame.c:92
#3  0x0000000000406ec7 in bpg_decoder_decode (img=0x638010, buf=0x638250 "BPG\373\026\t\201\026\201\026", buf_len=2412) at libbpg.c:1890


    After reading the libbpg source code, I think it's a double-free issue.
    Double Free:
int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len)
//...
ret = hevc_decode_start(img, buf + idx, buf_len - idx,
width, height, img->format, bit_depth, has_alpha); 
|
|->ret = hevc_decode_frame_internal(s, abuf, cbuf, buf, buf_len, 1);
|
|->ret = hevc_write_frame(s->dec_ctx, s->frame, cbuf->buf, cbuf->len);
|
|->len = avcodec_decode_video2(avctx, frame, &got_frame, &avpkt);
|
|->av_frame_unref(picture); //the first free

av_frame_free(&img->frame); //the second free in int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len)

    Fix:
Avoid double free, choose one of the first and second free. Maybe remove the second one. 



wykcomputer@...il.com

Content of type "text/html" skipped

Download attachment "PoC.bpg" of type "application/octet-stream" (2412 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.