TALOS-2016-0037
Matroska libebml Multiple ElementList Double Free Vulnerabilities
January 28, 2016
Description
A use after free/double free vulnerability can occur in libebml while parsing
Track elements of the MKV container.
Tested Versions
libmebml master branch
Product URLs
Details
In a specially crafted file, Track element is being added to ElementList of both Tracks
element and Track Entry element which causes a double free when when Tracks and
Track Entry objects are being freed.
Technical information below:
Parsing of Track elements creates object dependencies in a following way:
+---------------+
| Tracks |
| |
++---+----------+
| |
| | +----------------+
| | | |
| +--------> Track Entry |
| | |
| +--+-------------+
| |
| | +----------------+
| | | |
| +-----> Track Video |
+---------------------> |
+----------------+
Later in the code, each element of “Tracks” is being freed by calling their respective destructor. “Track Entry” destructor in turn frees all it’s elements thus freeing “Track Video” element which the loop in “Tracks” element tries to free again causing the crash.
The initial freeing is triggered in EbmlMaster::Read:
EbmlElement * ElementLevelA;
// remove all existing elements, including the mandatory ones...
size_t Index;
for (Index=0; Index<ElementList.size(); Index++) {
if (!(*ElementList[Index]).IsLocked()) {
delete ElementList[Index];
}
}
ElementList.clear();
This delete in turn triggers the EbmlMaster destructor:
EbmlMaster::~EbmlMaster()
{
assert(!IsLocked()); // you're trying to delete a locked element !!!
size_t Index;
for (Index = 0; Index < ElementList.size(); Index++) {
if (!(*ElementList[Index]).IsLocked()) {
delete ElementList[Index];
}
}
}
Similar issue is present in relation to parsing TagTargets
element which gets added to subelemet lists of both Tag and Tags
elements.
Similar issue is present in relation to parsing CueTrackPositions
element which gets added to subelemet lists of both CuePoints and Segment
elements.
Credit
Discovered by Richard Johnson and Aleksandar Nikolic of Cisco Talos.