Free an invalid address could lead to SEGV in davs2_free davs2/source/common/common.h:1269

[arayzw]

Describe the bug

This bug allows to free an invalid address which is dangerous, the pointer to be free seems corrupted.

=============================================================================================

$ gdb ./davs2 (gdb) b davs2_free Breakpoint 1 at 0x555555565b23: davs2_free. (9 locations) (gdb) r -o ./test.yuv -i poc2 Thread 1 "davs2" hit Breakpoint 1, davs2_free (ptr=0x627000000120) at /home/arayz/arayz/work/davs2/source/common/common.h:1269 1269 free(*(((void *)ptr) - 1)); (gdb) x/20xb (((void **)ptr) - 1) 0x627000000100: 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0x627000000108: 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0xbe 0x627000000110: 0xbe 0xbe 0xbe 0xbe (gdb) c Continuing.

Thread 1 "davs2" hit Breakpoint 1, davs2_free (ptr=0x7fffcde91e60) at /home/arayz/arayz/work/davs2/source/common/common.h:1269 1269 free(*(((void *)ptr) - 1)); (gdb) x/20xb (((void **)ptr) - 1) 0xfffffff100000000: Cannot access memory at address 0xfffffff100000000

=============================================================================================

To Reproduce

cd /path/to/davs2/build/linux/ ./configure --enable-pic vim config.mak (add -fsanitize=address to CFLAGS, and -fsanitize=address -lasan to LDFLAGS) make ./davs2 -i /path/to/poc2.avs -o test.yuv

ASAN Crash log

================================================================= ==105979==ERROR: AddressSanitizer: SEGV on unknown address 0xfffffff0fffffff0 (pc 0x7f652159ba16 bp 0xfffffff0fffffff0 sp 0x7ffdae8c08e0 T0) ==105979==The signal is caused by a WRITE memory access.

0 0x7f652159ba15 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(sanitizer::atomic_uint8_t volatile*, sanitizer::atomic_uint8_t::Type*, sanitizer::atomic_uint8_t::Type, sanitizer::memory_order) ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang.h:79

#1 0x7f652159ba15 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) ../../../../src/libsanitizer/asan/asan_allocator.cc:552
#2 0x7f652159ba15 in __asan::Allocator::Deallocate(void*, unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) ../../../../src/libsanitizer/asan/asan_allocator.cc:629
#3 0x7f652159ba15 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) ../../../../src/libsanitizer/asan/asan_allocator.cc:865
#4 0x7f65216803d8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:127
#5 0x5587417e73ff in davs2_free /home/arayz/arayz/work/davs2/source/common/common.h:1269
#6 0x5587417e73ff in davs2_frame_destroy /home/arayz/arayz/work/davs2/source/common/frame.cc:371
#7 0x5587417e2f69 in davs2_decoder_free_extra_buffer /home/arayz/arayz/work/davs2/source/common/decoder.cc:777
#8 0x5587417e6431 in davs2_decoder_decoder_close /home/arayz/arayz/work/davs2/source/common/decoder.cc:1205
#9 0x5587417dd34a in davs2_decoder_close /home/arayz/arayz/work/davs2/source/common/davs2.cc:797
#10 0x5587417da81f in test_decoder /home/arayz/arayz/work/davs2/source/test/test.c:275
#11 0x5587417db7bc in main /home/arayz/arayz/work/davs2/source/test/test.c:329
#12 0x7f6521036082 in __libc_start_main ../csu/libc-start.c:308
#13 0x5587417d652d in _start (/home/arayz/arayz/work/davs2/build/linux/davs2+0xc52d)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ../../../../src/libsanitizer/sanitizer_common/sanitizer_atomic_clang.h:79 in bool __sanitizer::atomic_compare_exchange_strong<__sanitizer::atomic_uint8_t>(sanitizer::atomic_uint8_t volatile*, sanitizer::atomic_uint8_t::Type*, sanitizer::atomic_uint8_t::Type, sanitizer::memory_order) ==105979==ABORTING

This is a security issue.

Additional context

• OS: Ubuntu 20.04 (Desktop)
• Compiler gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)

PoC: poc2.zip