[Bug Report] Vulnerability in libbpg

["wykcomputer () gmail com" <wykcomputer () gmail com>]

Hello,
    I'm a security researcher. And I find one vulnerability in libbpg, this is a double-free issue, which can lead to 
remote-code-execution.
    I have reported it to the author of libbpg, but no responding, so I report it to you.
    The PoC file is the attachment.
    
    Run the command ./bpgdec PoC.bpg, we wil get the crash log as follows.    

    Crash Log：
Program received signal SIGSEGV, Segmentation fault.
0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
111     b = (*buf)->buffer;
(gdb) bt
#0  0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111
#1  0x000000000042a8fa in av_frame_unref (frame=0x64bb30) at libavutil/frame.c:101
#2  0x000000000042a8b3 in av_frame_free (frame=0x638020) at libavutil/frame.c:92
#3  0x0000000000406ec7 in bpg_decoder_decode (img=0x638010, buf=0x638250 "BPG\373\026\t\201\026\201\026", buf_len=2412) 
at libbpg.c:1890


    After reading the libbpg source code, I think it's a double-free issue.
    Double Free:
int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len)
//...
ret = hevc_decode_start(img, buf + idx, buf_len - idx,
width, height, img->format, bit_depth, has_alpha); 
|
|->ret = hevc_decode_frame_internal(s, abuf, cbuf, buf, buf_len, 1);
|
|->ret = hevc_write_frame(s->dec_ctx, s->frame, cbuf->buf, cbuf->len);
|
|->len = avcodec_decode_video2(avctx, frame, &got_frame, &avpkt);
|
|->av_frame_unref(picture); //the first free

av_frame_free(&img->frame); //the second free in int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int 
buf_len)

    Fix:
Avoid double free, choose one of the first and second free. Maybe remove the second one. 



wykcomputer () gmail com

Attachment: PoC.bpg
Description: