Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Oct 2017 09:10:45 +0000
From: 连一汉 <lianyihan@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: [CVE-2017-15186]: ffmpeg: Double free when ffmpeg parsing an craft
 AVI file to MKV file using ffvhuff decoder


Affected package: ffmpeg
Affected versions: <= 3.3.4

FFmpeg trigger double-free when it parsing an craft AVI file to MKV file using ffvhuff decoder.

From the back trace, we can see that ffmpeg frees a filter array firstly:

#0  av_free (ptr=0x32bb920) at libavutil/mem.c:209
#1  0x000000000162a759 in initFilter (outFilter=0x32ae7f8, filterPos=0x32ae818, outFilterSize=0x32ae82c, xInc=65536, srcW=45, dstW=45, filterAlign=1,
    one=4096, flags=8196, cpu_flags=1037275, srcFilter=0x0, dstFilter=0x0, param=0x32adef0, srcPos=128, dstPos=128) at libswscale/utils.c:713
#2  0x00000000016263bd in sws_init_context (c=0x32ade80, srcFilter=0x7fffffffcf50, dstFilter=0x7fffffffcf50) at libswscale/utils.c:1681
#3  0x0000000000629c5b in config_props (outlink=0x32adce0) at libavfilter/vf_scale.c:333
#4  0x00000000004675c8 in avfilter_config_links (filter=0x32ac5c0) at libavfilter/avfilter.c:316
#5  0x000000000046754b in avfilter_config_links (filter=0x32acae0) at libavfilter/avfilter.c:305
#6  0x000000000046bc62 in graph_config_links (graph=0x32989e0, log_ctx=0x0) at libavfilter/avfiltergraph.c:275
#7  0x000000000046b712 in avfilter_graph_config (graphctx=0x32989e0, log_ctx=0x0) at libavfilter/avfiltergraph.c:1274

But because of an error handing, this filter will be freed again when exit program:

#0  av_free (ptr=0x32bb920) at libavutil/mem.c:209
#1  0x00000000017d59b3 in av_freep (arg=0x7fffffffe2b8) at libavutil/mem.c:219
#2  0x00000000017baeba in buffer_pool_free (pool=0x0) at libavutil/buffer.c:272
#3  0x00000000017bae19 in av_buffer_pool_uninit (ppool=0x32bb670) at libavutil/buffer.c:285
#4  0x0000000000481a79 in ff_frame_pool_uninit (pool=0x32ad140) at libavfilter/framepool.c:292
#5  0x0000000000466e2e in avfilter_link_free (link=0x7fffffffe358) at libavfilter/avfilter.c:181
#6  0x0000000000468a46 in free_link (link=0x32ad060) at libavfilter/avfilter.c:786
#7  0x00000000004687f7 in avfilter_free (filter=0x32ac5c0) at libavfilter/avfilter.c:806
#8  0x000000000046b1b8 in avfilter_graph_free (graph=0x3299c50) at libavfilter/avfiltergraph.c:123
#9  0x000000000042b22c in ffmpeg_cleanup (ret=0) at ffmpeg.c:477
#10 0x000000000040eff7 in exit_program (ret=0) at cmdutils.c:138

This was fixed with the following commit:
https://www.ffmpeg.org/download.html#releases

Regards

Reported by Zhibin Hu and Yihan Lian from Qihoo 360 GearTeam

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.