Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2016111816520848294763@gmail.com>
Date: Fri, 18 Nov 2016 16:52:10 +0800
From: "wykcomputer@...il.com" <wykcomputer@...il.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: [Bug Report] Vulnerability in libbpg

Hello,
    I'm a security researcher. And I find one vulnerability in libbpg, this is a double-free issue, which can lead to remote-code-execution.
    I have reported it to the author of libbpg, but no responding, so I report it to you.
    The PoC file is the attachment.
    
    Run the command ./bpgdec PoC.bpg, we wil get the crash log as follows.    

    Crash Logļ¼š
Program received signal SIGSEGV, Segmentation fault.
0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
111     b = (*buf)->buffer;
(gdb) bt
#0  0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
#1  0x000000000042a8fa in av_frame_unref (frame=0x64bb30) at libavutil/frame.c:101
#2  0x000000000042a8b3 in av_frame_free (frame=0x638020) at libavutil/frame.c:92
#3  0x0000000000406ec7 in bpg_decoder_decode (img=0x638010, buf=0x638250 "BPG\373\026\t\201\026\201\026", buf_len=2412) at libbpg.c:1890


    After reading the libbpg source code, I think it's a double-free issue.
    Double Free:
int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len)
//...
ret = hevc_decode_start(img, buf + idx, buf_len - idx,
width, height, img->format, bit_depth, has_alpha); 
|
|->ret = hevc_decode_frame_internal(s, abuf, cbuf, buf, buf_len, 1);
|
|->ret = hevc_write_frame(s->dec_ctx, s->frame, cbuf->buf, cbuf->len);
|
|->len = avcodec_decode_video2(avctx, frame, &got_frame, &avpkt);
|
|->av_frame_unref(picture); //the first free

av_frame_free(&img->frame); //the second free in int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len)

    Fix:
Avoid double free, choose one of the first and second free. Maybe remove the second one. 



wykcomputer@...il.com

Content of type "text/html" skipped

Download attachment "PoC.bpg" of type "application/octet-stream" (2412 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.