heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)
Closed this issue · 7 comments
Description
heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)
Version info
dec265 v1.0.9
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).
options:
-q, --quiet do not show decoded image
-t, --threads N set number of worker threads (0 - no threading)
-c, --check-hash perform hash check
-n, --nal input is a stream with 4-byte length prefixed NAL units
-f, --frames N set number of frames to process
-o, --output write YUV reconstruction
-d, --dump dump headers
-0, --noaccel do not use any accelerated code (SSE)
-v, --verbose increase verbosity level (up to 3 times)
-L, --no-logging disable logging
-B, --write-bytestream FILENAME write raw bytestream (from NAL input)
-m, --measure YUV compute PSNRs relative to reference YUV
-T, --highest-TID select highest temporal sublayer to decode
--disable-deblocking disable deblocking filter
--disable-sao disable sample-adaptive offset filter
-h, --help show help
Reproduce
git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 653.bin
ASAN
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: non-existing PPS referenced
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
=================================================================
==733371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000d190 at pc 0x7f929c8bfbbc bp 0x7ffcdcf97080 sp 0x7ffcdcf97070
READ of size 16 at 0x61b00000d190 thread T0
#0 0x7f929c8bfbbb in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb)
#1 0x7f929c7b249f in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a949f)
#2 0x7f929c7b35a7 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa5a7)
#3 0x7f929c7a4a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
#4 0x7f929c7b1a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
#5 0x7f929c7ef80b in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e680b)
#6 0x7f929c7f1762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
#7 0x7f929c7f1675 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8675)
#8 0x7f929c7f1610 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8610)
#9 0x7f929c7f15a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
#10 0x7f929c7e8d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
#11 0x7f929c7f1f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
#12 0x7f929c7f3c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
#13 0x7f929c746e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
#14 0x7f929c747673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
#15 0x7f929c746311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
#16 0x7f929c74605b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
#17 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
#18 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
#19 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
#20 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
#21 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#22 0x7f929c0d7e3f in __libc_start_main_impl ../csu/libc-start.c:392
#23 0x5613fc12f7c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
0x61b00000d190 is located 0 bytes to the right of 1552-byte region [0x61b00000cb80,0x61b00000d190)
allocated by thread T0 here:
#0 0x7f929ca5755c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x7f929c78aa61 in ALLOC_ALIGNED(unsigned long, unsigned long) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x181a61)
#2 0x7f929c78b202 in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x182202)
#3 0x7f929c78d66b in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x18466b)
#4 0x7f929c7709fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
#5 0x7f929c749fd4 in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140fd4)
#6 0x7f929c74cee1 in decoder_context::process_reference_picture_set(slice_segment_header*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x143ee1)
#7 0x7f929c75046a in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14746a)
#8 0x7f929c745970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
#9 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
#10 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
#11 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
#12 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
#13 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)
Shadow bytes around the buggy address:
0x0c367fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff9a30: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff9a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==733371==ABORTING
POC
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Not yet
Does not segfault anymore with the recent fixes (current: 9737c3e).
Now stops with an assertion:
dec265: libde265/image.h:121: const DataUnit& MetaDataArray<DataUnit>::get(int, int) const [with DataUnit = CB_ref_info]: Assertion `unitX >= 0 && unitX < width_in_units' failed.
Aborted (core dumped)
Assertions will not be available in release builds, so this will still trigger the overflow. Even if it would assert, you could cause a service to core dump by uploading such a file, leading to a denial of service.
IMHO would be better to handle this more gracefully.
The assertion disappeared with 5583f98. Apparently, it was triggered by my debug output only...
The Debian security tracker thinks this is: CVE-2022-47664