Date: Fri, 18 Nov 2016 16:52:10 +0800 From: "wykcomputer@...il.com" <wykcomputer@...il.com> To: oss-security <oss-security@...ts.openwall.com> Subject: [Bug Report] Vulnerability in libbpg Hello, I'm a security researcher. And I find one vulnerability in libbpg, this is a double-free issue, which can lead to remote-code-execution. I have reported it to the author of libbpg, but no responding, so I report it to you. The PoC file is the attachment. Run the command ./bpgdec PoC.bpg, we wil get the crash log as follows. Crash Log： Program received signal SIGSEGV, Segmentation fault. 0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111 111 b = (*buf)->buffer; (gdb) bt #0 0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111 #1 0x000000000042a8fa in av_frame_unref (frame=0x64bb30) at libavutil/frame.c:101 #2 0x000000000042a8b3 in av_frame_free (frame=0x638020) at libavutil/frame.c:92 #3 0x0000000000406ec7 in bpg_decoder_decode (img=0x638010, buf=0x638250 "BPG\373\026\t\201\026\201\026", buf_len=2412) at libbpg.c:1890 After reading the libbpg source code, I think it's a double-free issue. Double Free: int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len) //... ret = hevc_decode_start(img, buf + idx, buf_len - idx, width, height, img->format, bit_depth, has_alpha); | |->ret = hevc_decode_frame_internal(s, abuf, cbuf, buf, buf_len, 1); | |->ret = hevc_write_frame(s->dec_ctx, s->frame, cbuf->buf, cbuf->len); | |->len = avcodec_decode_video2(avctx, frame, &got_frame, &avpkt); | |->av_frame_unref(picture); //the first free av_frame_free(&img->frame); //the second free in int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len) Fix: Avoid double free, choose one of the first and second free. Maybe remove the second one. wykcomputer@...il.com Content of type "text/html" skipped Download attachment "PoC.bpg" of type "application/octet-stream" (2412 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.