oss-sec mailing list archives
[Bug Report] Vulnerability in libbpg
From: "wykcomputer () gmail com" <wykcomputer () gmail com>
Date: Fri, 18 Nov 2016 16:52:10 +0800
Hello, I'm a security researcher. And I find one vulnerability in libbpg, this is a double-free issue, which can lead to remote-code-execution. I have reported it to the author of libbpg, but no responding, so I report it to you. The PoC file is the attachment. Run the command ./bpgdec PoC.bpg, we wil get the crash log as follows. Crash Logļ¼ Program received signal SIGSEGV, Segmentation fault. 0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111 111 b = (*buf)->buffer; (gdb) bt #0 0x000000000042a158 in av_buffer_unref (buf=0x64bcb0) at libavutil/buffer.c:111 #1 0x000000000042a8fa in av_frame_unref (frame=0x64bb30) at libavutil/frame.c:101 #2 0x000000000042a8b3 in av_frame_free (frame=0x638020) at libavutil/frame.c:92 #3 0x0000000000406ec7 in bpg_decoder_decode (img=0x638010, buf=0x638250 "BPG\373\026\t\201\026\201\026", buf_len=2412) at libbpg.c:1890 After reading the libbpg source code, I think it's a double-free issue. Double Free: int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len) //... ret = hevc_decode_start(img, buf + idx, buf_len - idx, width, height, img->format, bit_depth, has_alpha); | |->ret = hevc_decode_frame_internal(s, abuf, cbuf, buf, buf_len, 1); | |->ret = hevc_write_frame(s->dec_ctx, s->frame, cbuf->buf, cbuf->len); | |->len = avcodec_decode_video2(avctx, frame, &got_frame, &avpkt); | |->av_frame_unref(picture); //the first free av_frame_free(&img->frame); //the second free in int bpg_decoder_decode(BPGDecoderContext *img, const uint8_t *buf, int buf_len) Fix: Avoid double free, choose one of the first and second free. Maybe remove the second one. wykcomputer () gmail com
Attachment:
PoC.bpg
Description:
Current thread:
- [Bug Report] Vulnerability in libbpg wykcomputer () gmail com (Nov 18)