libde265 1.0.8, was discovered to contain a heap-buffer-overflow in put_epel_16_fallback (fallback-motion.cc) in strukturag/libde265

Valid

Reported on

Apr 8th 2022

Description

libde265 1.0.8, was discovered to contain a heap-buffer-overflow in put_epel_16_fallback (fallback-motion.cc)

ENV

  • Version : 1.0.8
  • Commit : 45904e5667c5bf59c67fcdc586dfba110832894c
  • OS : Ubuntu 18.04
  • Configure : cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_COMPILER=clang++-10 -DCMAKE_CXX_FLAGS="-fsanitize=address" ../

POC

crash-0b5718988550fc7f644100bfc53004a4

https://github.com/salmonx/poc/raw/main/crash-0b5718988550fc7f644100bfc53004a4

BT

./dec265 crash-0b5718988550fc7f644100bfc53004a4
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==39848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000009a0 at pc 0x7f49515672a0 bp 0x7ffec35a8430 sp 0x7ffec35a8428
READ of size 2 at 0x60e0000009a0 thread T0
    #0 0x7f495156729f in put_epel_16_fallback(short*, long, unsigned short const*, long, int, int, int, int, short*, int) /work/fuzz/soft/libde265-master/libde265/fallback-motion.cc:289:12
    #1 0x7f49515b5f72 in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const /work/fuzz/soft/libde265-master/libde265/acceleration.h:298:5
    #2 0x7f49515b3bf4 in void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/motion.cc:205:25
    #3 0x7f495159e76d in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /work/fuzz/soft/libde265-master/libde265/motion.cc:380:11
    #4 0x7f49515b13d4 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/motion.cc:2107:3
    #5 0x7f495160711d in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/slice.cc:4136:3
    #6 0x7f495160902c in read_coding_unit(thread_context*, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/slice.cc:4497:9
    #7 0x7f49515fdd8f in read_coding_quadtree(thread_context*, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/slice.cc:4652:5
    #8 0x7f49515fdaf0 in read_coding_quadtree(thread_context*, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/slice.cc:4635:5
    #9 0x7f49515fdaf0 in read_coding_quadtree(thread_context*, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/slice.cc:4635:5
    #10 0x7f49515fdaf0 in read_coding_quadtree(thread_context*, int, int, int, int) /work/fuzz/soft/libde265-master/libde265/slice.cc:4635:5
    #11 0x7f49515fd504 in read_coding_tree_unit(thread_context*) /work/fuzz/soft/libde265-master/libde265/slice.cc:2861:3
    #12 0x7f495160ba1c in decode_substream(thread_context*, bool, bool) /work/fuzz/soft/libde265-master/libde265/slice.cc:4741:5
    #13 0x7f495160e350 in read_slice_segment_data(thread_context*) /work/fuzz/soft/libde265-master/libde265/slice.cc:5054:14
    #14 0x7f495151d47c in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:852:7
    #15 0x7f495151c12b in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:954:11
    #16 0x7f495151b533 in decoder_context::decode_some(bool*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:739:13
    #17 0x7f4951519866 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /work/fuzz/soft/libde265-master/libde265/decctx.cc:697:9
    #18 0x7f495151f548 in decoder_context::decode_NAL(NAL_unit*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:1239:11
    #19 0x7f495151fe9e in decoder_context::decode(int*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:1327:16
    #20 0x7f49514f4d74 in de265_decode /work/fuzz/soft/libde265-master/libde265/de265.cc:352:15
    #21 0x4c8e84 in main /work/fuzz/soft/libde265-master/dec265/dec265.cc:764:17
    #22 0x7f49500c0c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310
    #23 0x41c4e9 in _start (/work/fuzz/soft/libde265-master/build_debug/dec265/dec265+0x41c4e9)

0x60e0000009a0 is located 16 bytes to the right of 144-byte region [0x60e000000900,0x60e000000990)
allocated by thread T0 here:
    #0 0x4956c7 in posix_memalign (/work/fuzz/soft/libde265-master/build_debug/dec265/dec265+0x4956c7)
    #1 0x7f49515751e7 in ALLOC_ALIGNED(unsigned long, unsigned long) /work/fuzz/soft/libde265-master/libde265/image.cc:55:9
    #2 0x7f4951575fbb in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) /work/fuzz/soft/libde265-master/libde265/image.cc:133:23
    #3 0x7f495157952a in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /work/fuzz/soft/libde265-master/libde265/image.cc:385:25
    #4 0x7f495154ebe3 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /work/fuzz/soft/libde265-master/libde265/dpb.cc:262:8
    #5 0x7f4951521204 in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /work/fuzz/soft/libde265-master/libde265/decctx.cc:1427:17
    #6 0x7f4951524b63 in decoder_context::process_reference_picture_set(slice_segment_header*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:1656:30
    #7 0x7f495151ad25 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:2075:7
    #8 0x7f4951519005 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /work/fuzz/soft/libde265-master/libde265/decctx.cc:648:7
    #9 0x7f495151f548 in decoder_context::decode_NAL(NAL_unit*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:1239:11
    #10 0x7f495151fe9e in decoder_context::decode(int*) /work/fuzz/soft/libde265-master/libde265/decctx.cc:1327:16
    #11 0x7f49514f4d74 in de265_decode /work/fuzz/soft/libde265-master/libde265/de265.cc:352:15
    #12 0x4c8e84 in main /work/fuzz/soft/libde265-master/dec265/dec265.cc:764:17
    #13 0x7f49500c0c86 in __libc_start_main /build/glibc-uZu3wS/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /work/fuzz/soft/libde265-master/libde265/fallback-motion.cc:289:12 in put_epel_16_fallback(short*, long, unsigned short const*, long, int, int, int, int, short*, int)
Shadow bytes around the buggy address:
  0x0c1c7fff80e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff80f0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c1c7fff8100: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8110: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c1c7fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1c7fff8130: 00 00 fa fa[fa]fa fa fa fa fa fa fa 00 00 00 00
  0x0c1c7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c1c7fff8150: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1c7fff8160: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c1c7fff8170: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1c7fff8180: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==39848==ABORTING

Impact

crash or potential code execution

We are processing your report and will contact the strukturag/libde265 team within 24 hours. a year ago
salmonstriver modified the report
a year ago
We have contacted a member of the strukturag/libde265 team and are waiting to hear back a year ago
We have sent a follow up to the strukturag/libde265 team. We will try again in 7 days. a year ago
We have sent a second follow up to the strukturag/libde265 team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the strukturag/libde265 team. This report is now considered stale. a year ago
Dirk Farin validated this vulnerability 2 months ago
salmonstriver has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Dirk Farin marked this as fixed in 1.0.10 with commit 9737c3 2 months ago
Dirk Farin has been awarded the fix bounty
This vulnerability will not receive a CVE
Dirk Farin published this vulnerability 2 months ago
to join this conversation