Headline
CVE-2022-38861: #2407 (A heap memory corruption occurred in function free_mp_image() of libmpcodecs/mp_image.c) – MPlayer
The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory corruption via function free_mp_image() of libmpcodecs/mp_image.c.
#2407 closed defect (fixed)
Reported by:
Owned by:
beastd
Priority:
normal
Component:
undetermined
Version:
HEAD
Severity:
major
Keywords:
Cc:
Blocked By:
Blocking:
Reproduced by developer:
no
Analyzed by developer:
no
Version: SVN-r38374-13.0.1
Build command: …/configure --disable-ffmpeg_a && make (compiling with asan)
Summary of the bug: I found a heap memory corruption crash when I tried to fuzz the mencoder.
[ … ] 1 duplicate frame(s)! Pos: 0.0s 3f (100%) 0.00fps Trem: 0min 0mb A-V:0.000 [0:0] Movie-Aspect is undefined - no prescaling applied. Writing header… ODML: Aspect information not (yet?) available or unspecified, not writing vprp header. Writing header… ODML: Aspect information not (yet?) available or unspecified, not writing vprp header. Writing header… ODML: Aspect information not (yet?) available or unspecified, not writing vprp header. Writing header… ODML: Aspect information not (yet?) available or unspecified, not writing vprp header. Pos: 0.0s 4f (100%) 0.00fps Trem: 0min 0mb A-V:0.000 [0:0]
Skipping frame! Pos: 0.0s 5f (100%) 0.00fps Trem: 0min 0mb A-V:0.000 [0:0] Flushing video frames. Writing index… Writing header… ODML: Aspect information not (yet?) available or unspecified, not writing vprp header.
Video stream: 743743.500 kbit/s (92967937 B/s) size: 16892 bytes 0.000 secs 5 frames double free or corruption (out) Aborted
But when I try to debug this crash to figure out the reason I find the free function’s argument is not a heap address. The pointer points to a block of memory which is full of 0x80.
Breakpoint 1, free_mp_image (mpi=0x60e000000120) at libmpcodecs/mp_image.c:271 271 av_free(mpi->planes[0]); LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA ───────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────── RAX 0x2b00 RBX 0xc1c00000024 ◂— 0x0 RCX 0x7fffed1ff800 ◂— 0xbfbebfbebebebebe RDX 0x1 RDI 0x60e000000120 —▸ 0x40000c30f ◂— 0x0 RSI 0x7fffee7f90e0 ◂— 0x0 R8 0xd8 R9 0x7fffee489708 —▸ 0x555555857598 (uninit_video+216) ◂— mov qword ptr [rip + 0xf57d5d], 0 R10 0x7fffffffcd20 —▸ 0x555555857598 (uninit_video+216) ◂— mov qword ptr [rip + 0xf57d5d], 0 R11 0x20 R12 0x0 R13 0xffffffffad5 ◂— 0x0 R14 0x555555ec7fa0 (__afl_area_ptr) —▸ 0x7fffed1ff800 ◂— 0xbfbebfbebebebebe R15 0x60e000000120 —▸ 0x40000c30f ◂— 0x0 RBP 0x7fffffffdda0 ◂— 0x0 RSP 0x7fffffffd5e0 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf_info_expand) —▸ 0x555555d82360 (str) ◂— ‘expanding & osd’ RIP 0x55555585ec3b (free_mp_image+107) ◂— lea rdi, [r15 + 0x30] ────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────── ► 0x55555585ec3b <free_mp_image+107> lea rdi, [r15 + 0x30] 0x55555585ec3f <free_mp_image+111> mov rax, rdi 0x55555585ec42 <free_mp_image+114> shr rax, 3 0x55555585ec46 <free_mp_image+118> cmp byte ptr [rax + 0x7fff8000], 0 0x55555585ec4d <free_mp_image+125> jne free_mp_image+294 <free_mp_image+294>
0x55555585ec53 <free_mp_image+131> mov rdi, qword ptr [r15 + 0x30] 0x55555585ec57 <free_mp_image+135> call av_free@plt <av_free@plt>
0x55555585ec5c <free_mp_image+140> mov al, byte ptr [rbx + 0x7fff8000] 0x55555585ec62 <free_mp_image+146> test al, al 0x55555585ec64 <free_mp_image+148> jne free_mp_image+269 <free_mp_image+269> 0x55555585ec66 <free_mp_image+150> test byte ptr [r15 + 1], 8 ────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────── In file: /home/jlx/good_mplayer/asan_mplayer/libmpcodecs/mp_image.c 266 267 void free_mp_image(mp_image_t* mpi){ 268 if(!mpi) return; 269 if(mpi->flags&MP_IMGFLAG_ALLOCATED){ 270 /* because we allocate the whole image at once */ ► 271 av_free(mpi->planes[0]); 272 if (mpi->flags & MP_IMGFLAG_RGB_PALETTE) 273 av_free(mpi->planes[1]); 274 } 275 free(mpi); 276 } ────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffd5e0 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf_info_expand) —▸ 0x555555d82360 (str) ◂— ‘expanding & osd’ 01:0008│ 0x7fffffffd5e8 —▸ 0x555555ec7fa0 (__afl_area_ptr) —▸ 0x7fffed1ff800 ◂— 0xbfbebfbebebebebe 02:0010│ 0x7fffffffd5f0 —▸ 0x616000000080 —▸ 0x555555e0b5c0 (ve_info_lavc) —▸ 0x555555c7b640 (str) ◂— ‘libavcodec encoder’ 03:0018│ 0x7fffffffd5f8 —▸ 0x55555587b998 (vf_uninit_filter_chain+200) ◂— lea rdi, [rbx + 0x68] 04:0020│ 0x7fffffffd600 —▸ 0x61a000001130 —▸ 0x616000000380 —▸ 0x555555e1c380 (vf_info_expand) —▸ 0x555555d82360 (str) ◂— … 05:0028│ 0x7fffffffd608 —▸ 0x61a000000c94 ◂— 0x1 06:0030│ 0x7fffffffd610 —▸ 0xc3400000192 ◂— 0x0 07:0038│ 0x7fffffffd618 —▸ 0x5555558575c6 (uninit_video+262) ◂— call 0x555555af5820 ──────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────── ► f 0 55555585ec3b free_mp_image+107 f 1 55555587b998 vf_uninit_filter_chain+200 f 2 55555587b998 vf_uninit_filter_chain+200 f 3 5555558575c6 uninit_video+262 f 4 555555737d1b main+47819 f 5 7ffff55070b3 __libc_start_main+243 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> p mpi->planes[0] $4 = (unsigned char *) 0x7fffeb6cb040 ‘\200’ <repeats 200 times>… pwndbg> vmmap 0x7fffeb6cb040 LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA 0x7fffeb490000 0x7fffebf19000 rw-p a89000 0 +0x23b040
How to reproduce:
1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase
Related news
Gentoo Linux Security Advisory 202405-5 - Multiple vulnerabilities have been discovered in MPlayer, the worst of which can lead to arbitrary code execution. Versions greater than or equal to 1.5 are affected.