VLC Picture Use-After-Free
VLC media player is vulnerable to a heap use-after-free when parsing a specially crafted Quicktime movie. I verified this vulnerability affects the most recent nightly build, vlc-2.2.0-20141111-0302. I've attached the crashing video. The following is the output from AddressSanitizer based on a 2.1.4 official source release:
=================================================================
==5667== ERROR: AddressSanitizer: heap-use-after-free on address 0x602a0005ea48 at pc 0x7f008f7971f7 bp 0x7f0077e74280 sp 0x7f0077e74278
WRITE of size 8 at 0x602a0005ea48 thread T36
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f008f7971f6 in vlc_atomic_sub /home/chris/projects/vlc-2.1.4/src/../include/vlc_atomic.h:340
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f008f7618cc in vout_ReleasePicture /home/chris/projects/vlc-2.1.4/src/video_output/video_output.c:436
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f008f6fc75d in vout_unlink_picture /home/chris/projects/vlc-2.1.4/src/input/decoder.c:2435
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f008f704c97 in decoder_UnlinkPicture /home/chris/projects/vlc-2.1.4/src/input/decoder.c:206
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f006e156a22 in ffmpeg_ReleaseFrameBuf /home/chris/projects/vlc-2.1.4/modules/codec/avcodec/video.c:1081
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f006d56a433 in compat_free_buffer /home/chris/projects/libav/libavcodec/utils.c:563
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f006ce52d6e in av_buffer_unref /home/chris/projects/libav/libavutil/buffer.c:115
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f006d56a465 in compat_release_buffer /home/chris/projects/libav/libavcodec/utils.c:570
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f006ce52d6e in av_buffer_unref /home/chris/projects/libav/libavutil/buffer.c:115
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f006ce58a82 in av_frame_unref /home/chris/projects/libav/libavutil/frame.c:285 (discriminator 2)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7f006d56c948 in unrefcount_frame /home/chris/projects/libav/libavcodec/utils.c:1414
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f006d56cd0e in avcodec_decode_video2 /home/chris/projects/libav/libavcodec/utils.c:1496
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f006e15b336 in DecodeVideo /home/chris/projects/vlc-2.1.4/modules/codec/avcodec/video.c:610
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7f008f6ff280 in DecoderDecodeVideo /home/chris/projects/vlc-2.1.4/src/input/decoder.c:1479 (discriminator 1)
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7f008f700820 in DecoderProcessVideo /home/chris/projects/vlc-2.1.4/src/input/decoder.c:1841
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7f008fcf5bc7 in ?? ??:0
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x3c54a07c52 in ?? ??:0
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x3c546f5dbc in ?? ??:0
0x602a0005ea48 is located 296 bytes inside of 328-byte region [0x602a0005e920,0x602a0005ea68)
freed by thread T38 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f008fcf236a in ?? ??:0
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f008f795f03 in PictureDestroy /home/chris/projects/vlc-2.1.4/src/misc/picture.c:95
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f008f797235 in picture_Release /home/chris/projects/vlc-2.1.4/src/misc/picture.c:271
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f008f7992b4 in picture_pool_Delete /home/chris/projects/vlc-2.1.4/src/misc/picture_pool.c:203
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f008f772b00 in vout_EndWrapper /home/chris/projects/vlc-2.1.4/src/video_output/vout_wrapper.c:181
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f008f7596b3 in ThreadStop /home/chris/projects/vlc-2.1.4/src/video_output/video_output.c:1382
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f008f75ec2a in ThreadReinit /home/chris/projects/vlc-2.1.4/src/video_output/video_output.c:1441
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f008fcf5bc7 in ?? ??:0
previously allocated by thread T38 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f008fcf2515 in ?? ??:0
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f008f796956 in picture_NewFromResource /home/chris/projects/vlc-2.1.4/src/misc/picture.c:201
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f008f7970a5 in picture_NewFromFormat /home/chris/projects/vlc-2.1.4/src/misc/picture.c:244
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f008f798f1b in picture_pool_NewFromFormat /home/chris/projects/vlc-2.1.4/src/misc/picture_pool.c:139
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f008f772739 in vout_InitWrapper /home/chris/projects/vlc-2.1.4/src/video_output/vout_wrapper.c:150
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f008f75ab9b in ThreadStart /home/chris/projects/vlc-2.1.4/src/video_output/video_output.c:1352
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f008f75ea33 in Thread /home/chris/projects/vlc-2.1.4/src/video_output/video_output.c:1487
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f008fcf5bc7 in ?? ??:0
Thread T36 created by T34 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f008fce7b8b in ?? ??:0
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f008f7c8463 in vlc_clone_attr /home/chris/projects/vlc-2.1.4/src/posix/thread.c:708
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f008f7c8c37 in vlc_clone /home/chris/projects/vlc-2.1.4/src/posix/thread.c:733
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f008f7041f3 in decoder_New /home/chris/projects/vlc-2.1.4/src/input/decoder.c:299
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f008f704e65 in input_DecoderNew /home/chris/projects/vlc-2.1.4/src/input/decoder.c:322
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f008f70b460 in EsCreateDecoder /home/chris/projects/vlc-2.1.4/src/input/es_out.c:1557
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f008f70dfc5 in EsSelect /home/chris/projects/vlc-2.1.4/src/input/es_out.c:1642
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f008f70ed87 in EsOutSelect /home/chris/projects/vlc-2.1.4/src/input/es_out.c:1861
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f008f714007 in EsOutControlLocked /home/chris/projects/vlc-2.1.4/src/input/es_out.c:2180
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f008f71b9a5 in es_out_vaControl /home/chris/projects/vlc-2.1.4/src/../include/vlc_es_out.h:126
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7f008f71baae in CmdExecuteControl /home/chris/projects/vlc-2.1.4/src/input/es_out_timeshift.c:1458
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f008f71efe0 in ControlLocked /home/chris/projects/vlc-2.1.4/src/input/es_out_timeshift.c:620
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f008f722eac in es_out_vaControl /home/chris/projects/vlc-2.1.4/src/../include/vlc_es_out.h:126
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7f008f72e33d in es_out_SetMode /home/chris/projects/vlc-2.1.4/src/input/es_out.h:89
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7f008f733481 in Run /home/chris/projects/vlc-2.1.4/src/input/input.c:521
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7f008fcf5bc7 in ?? ??:0
Thread T34 created by T1 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f008fce7b8b in ?? ??:0
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f008f7c8463 in vlc_clone_attr /home/chris/projects/vlc-2.1.4/src/posix/thread.c:708
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f008f7c8c37 in vlc_clone /home/chris/projects/vlc-2.1.4/src/posix/thread.c:733
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f008f726bd7 in input_Start /home/chris/projects/vlc-2.1.4/src/input/input.c:218
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f008f6dbcd4 in PlayItem /home/chris/projects/vlc-2.1.4/src/playlist/thread.c:220
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f008fcf5bc7 in ?? ??:0
Thread T1 created by T0 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f008fce7b8b in ?? ??:0
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f008f7c8463 in vlc_clone_attr /home/chris/projects/vlc-2.1.4/src/posix/thread.c:708
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f008f7c8c37 in vlc_clone /home/chris/projects/vlc-2.1.4/src/posix/thread.c:733
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f008f6d9bbe in playlist_Activate /home/chris/projects/vlc-2.1.4/src/playlist/thread.c:55
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f008f6df027 in playlist_Create /home/chris/projects/vlc-2.1.4/src/playlist/engine.c:310
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f008fab36ef in libvlc_add_intf /home/chris/projects/vlc-2.1.4/lib/playlist.c:56
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x401a06 in main /home/chris/projects/vlc-2.1.4/bin/vlc.c:237
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x3c54621b44 in ?? ??:0
Thread T38 created by T36 here:
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f008fce7b8b in ?? ??:0
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f008f7c8463 in vlc_clone_attr /home/chris/projects/vlc-2.1.4/src/posix/thread.c:708
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f008f7c8c37 in vlc_clone /home/chris/projects/vlc-2.1.4/src/posix/thread.c:733
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f008f760bbb in VoutCreate /home/chris/projects/vlc-2.1.4/src/video_output/video_output.c:171
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f008f737b3d in RequestVout /home/chris/projects/vlc-2.1.4/src/input/resource.c:238
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f008f702734 in vout_new_buffer /home/chris/projects/vlc-2.1.4/src/input/decoder.c:2375
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f008f704bdf in decoder_NewPicture /home/chris/projects/vlc-2.1.4/src/input/decoder.c:191
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f006e157e11 in ffmpeg_NewPictBuf /home/chris/projects/vlc-2.1.4/modules/codec/avcodec/video.c:177
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f006d56a78c in ff_get_buffer /home/chris/projects/libav/libavcodec/utils.c:646
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f006d4028b3 in ff_mjpeg_decode_sof /home/chris/projects/libav/libavcodec/mjpegdec.c:377
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7f006d4075dc in ff_mjpeg_decode_frame /home/chris/projects/libav/libavcodec/mjpegdec.c:1536
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f006d56cc70 in avcodec_decode_video2 /home/chris/projects/libav/libavcodec/utils.c:1480
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f006e15b336 in DecodeVideo /home/chris/projects/vlc-2.1.4/modules/codec/avcodec/video.c:610
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7f008f6ff280 in DecoderDecodeVideo /home/chris/projects/vlc-2.1.4/src/input/decoder.c:1479 (discriminator 1)
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7f008f700820 in DecoderProcessVideo /home/chris/projects/vlc-2.1.4/src/input/decoder.c:1841
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7f008fcf5bc7 in ?? ??:0
Shadow bytes around the buggy address:
0x0c05c0003cf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c05c0003d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c05c0003d10: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c05c0003d20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c05c0003d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c05c0003d40: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fa fa fa
0x0c05c0003d50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c05c0003d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c05c0003d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c05c0003d80: fd fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c05c0003d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==5667== ABORTING