strukturag/libde265

NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:968

Closed this issue · 1 comments

JieyongMa commented

Description

NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:968

Version

git log
commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j

cd dec265
./dec265 ./poc_segv01.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: coded parameter out of range
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7394==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561be828c36c bp 0x000000000000 sp 0x7ffe3413f310 T0)
==7394==The signal is caused by a READ memory access.
==7394==Hint: address points to the zero page.
    #0 0x561be828c36b in _mm_loadu_si128(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:703
    #1 0x561be828c36b in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /home/fuzz/libde265/libde265/x86/sse-motion.cc:968
    #2 0x561be83306ab in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
    #3 0x561be83306ab in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:205
    #4 0x561be8327067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412
    #5 0x561be8327edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141
    #6 0x561be8213601 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
    #7 0x561be821c2e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
    #8 0x561be821bd61 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4635
    #9 0x561be821bd61 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4635
    #10 0x561be821e3db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
    #11 0x561be82210c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
    #12 0x561be812a487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
    #13 0x561be812dca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
    #14 0x561be812e934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
    #15 0x561be81321c7 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
    #16 0x561be813362c in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
    #17 0x561be8134df5 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
    #18 0x561be80f9f9d in main /home/fuzz/libde265/dec265/dec265.cc:764
    #19 0x7f8b26075082 in __libc_start_main ../csu/libc-start.c:308
    #20 0x561be80fe0dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:703 in _mm_loadu_si128(long long __vector(2) const*)
==7394==ABORTING

POC

poc_segv01.bin

GDB

gdb --args ./dec265 ./poc_segv01.bin

─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: coded parameter out of range

Program received signal SIGSEGV, Segmentation fault.
_mm_loadu_si128(long long __vector(2) const*) (__P=<optimized out>) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:1006
1006      return (__m128i)__builtin_ia32_punpcklbw128 ((__v16qi)__A, (__v16qi)__B);
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x0000555555706359  _mm_loadu_si128(long long __vector(2) const*)+79  setle  %r11b
 0x000055555570635d  _mm_loadu_si128(long long __vector(2) const*)+83  test   %dil,%dil
 0x0000555555706360  _mm_loadu_si128(long long __vector(2) const*)+86  setne  %al
 0x0000555555706363  _mm_loadu_si128(long long __vector(2) const*)+89  test   %al,%r11b
 0x0000555555706366  _mm_loadu_si128(long long __vector(2) const*)+92  jne    0x555555706fad <ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+3613>
 0x000055555570636c  _mm_loadu_si128(long long __vector(2) const*)+98  movdqu (%r9),%xmm10
 0x0000555555706371  _mm_loadu_si128(long long __vector(2) const*)+103 mov    %r10,%rdi
 0x0000555555706374  _mm_loadu_si128(long long __vector(2) const*)+106 shr    $0x3,%rdi
 0x0000555555706378  _mm_loadu_si128(long long __vector(2) const*)+110 movdqa %xmm10,%xmm11
 0x000055555570637d  _mm_loadu_si128(long long __vector(2) const*)+115 cmpw   $0x0,0x7fff8000(%rdi)
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
      rax 0x0000000000000000       rbx 0x0000000000000000       rcx 0xffffffffffffffe0      rdx 0x00005555557f0fc0      rsi 0x0000000000000000         rdi 0x0000000000000000
      rbp 0x0000000000000000       rsp 0x00007ffffffde670        r8 0x0000000000000010       r9 0x0000000000000000      r10 0x00007ffffffe6520         r11 0x0000000000000001
      r12 0x00007ffffffe6520       r13 0x0000000000000000       r14 0x0000000000000010      r15 0x0000000000000000      rip 0x000055555570636c      eflags [ PF ZF IF RF ]   
       cs 0x00000033                ss 0x0000002b                ds 0x00000000               es 0x00000000               fs 0x00000000                  gs 0x00000000        
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 1001  }
 1002  
 1003  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
 1004  _mm_unpacklo_epi8 (__m128i __A, __m128i __B)
 1005  {
 1006    return (__m128i)__builtin_ia32_punpcklbw128 ((__v16qi)__A, (__v16qi)__B);
 1007  }
 1008  
 1009  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
 1010  _mm_unpacklo_epi16 (__m128i __A, __m128i __B)
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x000055555570636c in _mm_loadu_si128(long long __vector(2) const*)+98 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:1006
[1] from 0x000055555570636c in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+476 at sse-motion.cc:968
[2] from 0x00005555557aa6ac in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const+182 at ../libde265/acceleration.h:296
[3] from 0x00005555557aa6ac in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+7260 at motion.cc:205
[4] from 0x00005555557a1068 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+26328 at ../libde265/image.h:301
[5] from 0x00005555557a1ede in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+446 at motion.cc:2141
[6] from 0x000055555568d602 in read_coding_unit(thread_context*, int, int, int, int)+8402 at slice.cc:4314
[7] from 0x00005555556962e2 in read_coding_quadtree(thread_context*, int, int, int, int)+2834 at slice.cc:4652
[8] from 0x0000555555695d62 in read_coding_quadtree(thread_context*, int, int, int, int)+1426 at slice.cc:4635
[9] from 0x0000555555695d62 in read_coding_quadtree(thread_context*, int, int, int, int)+1426 at slice.cc:4635
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 7387 name dec265 from 0x000055555570636c in _mm_loadu_si128(long long __vector(2) const*)+98 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:1006
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg __P = <optimized out>
loc x = <optimized out>, y = 0, x1 = Cannot access memory at address 0x0, x2 = <optimized out>, src = 0x0: Cannot access memory at address 0x0
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>>

Impact

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

farindk commented

Thank you.