Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 20 Oct 2017 09:10:45 +0000
From: 连一汉 <lianyihan@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: [CVE-2017-15186]: ffmpeg: Double free when ffmpeg parsing an craft
 AVI file to MKV file using ffvhuff decoder


Affected package: ffmpeg
Affected versions: <= 3.3.4

FFmpeg trigger double-free when it parsing an craft AVI file to MKV file using ffvhuff decoder.

From the back trace, we can see that ffmpeg frees a filter array firstly:

#0  av_free (ptr=0x32bb920) at libavutil/mem.c:209
#1  0x000000000162a759 in initFilter (outFilter=0x32ae7f8, filterPos=0x32ae818, outFilterSize=0x32ae82c, xInc=65536, srcW=45, dstW=45, filterAlign=1,
    one=4096, flags=8196, cpu_flags=1037275, srcFilter=0x0, dstFilter=0x0, param=0x32adef0, srcPos=128, dstPos=128) at libswscale/utils.c:713
#2  0x00000000016263bd in sws_init_context (c=0x32ade80, srcFilter=0x7fffffffcf50, dstFilter=0x7fffffffcf50) at libswscale/utils.c:1681
#3  0x0000000000629c5b in config_props (outlink=0x32adce0) at libavfilter/vf_scale.c:333
#4  0x00000000004675c8 in avfilter_config_links (filter=0x32ac5c0) at libavfilter/avfilter.c:316
#5  0x000000000046754b in avfilter_config_links (filter=0x32acae0) at libavfilter/avfilter.c:305
#6  0x000000000046bc62 in graph_config_links (graph=0x32989e0, log_ctx=0x0) at libavfilter/avfiltergraph.c:275
#7  0x000000000046b712 in avfilter_graph_config (graphctx=0x32989e0, log_ctx=0x0) at libavfilter/avfiltergraph.c:1274

But because of an error handing, this filter will be freed again when exit program:

#0  av_free (ptr=0x32bb920) at libavutil/mem.c:209
#1  0x00000000017d59b3 in av_freep (arg=0x7fffffffe2b8) at libavutil/mem.c:219
#2  0x00000000017baeba in buffer_pool_free (pool=0x0) at libavutil/buffer.c:272
#3  0x00000000017bae19 in av_buffer_pool_uninit (ppool=0x32bb670) at libavutil/buffer.c:285
#4  0x0000000000481a79 in ff_frame_pool_uninit (pool=0x32ad140) at libavfilter/framepool.c:292
#5  0x0000000000466e2e in avfilter_link_free (link=0x7fffffffe358) at libavfilter/avfilter.c:181
#6  0x0000000000468a46 in free_link (link=0x32ad060) at libavfilter/avfilter.c:786
#7  0x00000000004687f7 in avfilter_free (filter=0x32ac5c0) at libavfilter/avfilter.c:806
#8  0x000000000046b1b8 in avfilter_graph_free (graph=0x3299c50) at libavfilter/avfiltergraph.c:123
#9  0x000000000042b22c in ffmpeg_cleanup (ret=0) at ffmpeg.c:477
#10 0x000000000040eff7 in exit_program (ret=0) at cmdutils.c:138

This was fixed with the following commit:
https://www.ffmpeg.org/download.html#releases

Regards

Reported by Zhibin Hu and Yihan Lian from Qihoo 360 GearTeam

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.