oss-sec mailing list archives

[CVE-2017-15186]: ffmpeg: Double free when ffmpeg parsing an craft AVI file to MKV file using ffvhuff decoder

From: 连一汉 <lianyihan () 360 cn>
Date: Fri, 20 Oct 2017 09:10:45 +0000


Affected package: ffmpeg
Affected versions: <= 3.3.4

FFmpeg trigger double-free when it parsing an craft AVI file to MKV file using ffvhuff decoder.

From the back trace, we can see that ffmpeg frees a filter array firstly:

#0  av_free (ptr=0x32bb920) at libavutil/mem.c:209
#1  0x000000000162a759 in initFilter (outFilter=0x32ae7f8, filterPos=0x32ae818, outFilterSize=0x32ae82c, xInc=65536, 
srcW=45, dstW=45, filterAlign=1,
    one=4096, flags=8196, cpu_flags=1037275, srcFilter=0x0, dstFilter=0x0, param=0x32adef0, srcPos=128, dstPos=128) at 
libswscale/utils.c:713
#2  0x00000000016263bd in sws_init_context (c=0x32ade80, srcFilter=0x7fffffffcf50, dstFilter=0x7fffffffcf50) at 
libswscale/utils.c:1681
#3  0x0000000000629c5b in config_props (outlink=0x32adce0) at libavfilter/vf_scale.c:333
#4  0x00000000004675c8 in avfilter_config_links (filter=0x32ac5c0) at libavfilter/avfilter.c:316
#5  0x000000000046754b in avfilter_config_links (filter=0x32acae0) at libavfilter/avfilter.c:305
#6  0x000000000046bc62 in graph_config_links (graph=0x32989e0, log_ctx=0x0) at libavfilter/avfiltergraph.c:275
#7  0x000000000046b712 in avfilter_graph_config (graphctx=0x32989e0, log_ctx=0x0) at libavfilter/avfiltergraph.c:1274

But because of an error handing, this filter will be freed again when exit program:

#0  av_free (ptr=0x32bb920) at libavutil/mem.c:209
#1  0x00000000017d59b3 in av_freep (arg=0x7fffffffe2b8) at libavutil/mem.c:219
#2  0x00000000017baeba in buffer_pool_free (pool=0x0) at libavutil/buffer.c:272
#3  0x00000000017bae19 in av_buffer_pool_uninit (ppool=0x32bb670) at libavutil/buffer.c:285
#4  0x0000000000481a79 in ff_frame_pool_uninit (pool=0x32ad140) at libavfilter/framepool.c:292
#5  0x0000000000466e2e in avfilter_link_free (link=0x7fffffffe358) at libavfilter/avfilter.c:181
#6  0x0000000000468a46 in free_link (link=0x32ad060) at libavfilter/avfilter.c:786
#7  0x00000000004687f7 in avfilter_free (filter=0x32ac5c0) at libavfilter/avfilter.c:806
#8  0x000000000046b1b8 in avfilter_graph_free (graph=0x3299c50) at libavfilter/avfiltergraph.c:123
#9  0x000000000042b22c in ffmpeg_cleanup (ret=0) at ffmpeg.c:477
#10 0x000000000040eff7 in exit_program (ret=0) at cmdutils.c:138

This was fixed with the following commit:
https://www.ffmpeg.org/download.html#releases

Regards

Reported by Zhibin Hu and Yihan Lian from Qihoo 360 GearTeam

Current thread:

[CVE-2017-15186]: ffmpeg: Double free when ffmpeg parsing an craft AVI file to MKV file using ffvhuff decoder 连一汉 (Oct 20)
- Re: [CVE-2017-15186]: ffmpeg: Double free when ffmpeg parsing an craft AVI file to MKV file using ffvhuff decoder Ludovic Courtès (Oct 20)
  - Re: [CVE-2017-15186]: ffmpeg: Double free when ffmpeg parsing an craft AVI file to MKV file using ffvhuff decoder Salvatore Bonaccorso (Nov 06)