NULL Pointer Dereference in function put_unweighted_pred_16_fallback at fallback-motion.cc:179
Closed this issue · 2 comments
JieyongMa commented
Description
NULL Pointer Dereference in function put_unweighted_pred_16_fallback at fallback-motion.cc:179
Version
git log
commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Sat Jan 28 15:03:34 2023 +0100
Steps to reproduce
git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 ./poc_segv09.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: slice header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: slice header invalid
WARNING: slice header invalid
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: slice header invalid
WARNING: non-existing PPS referenced
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3774965==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555555e7237 bp 0x7ffffffe28d0 sp 0x7ffffffe2880 T0)
==3774965==The signal is caused by a WRITE memory access.
==3774965==Hint: address points to the zero page.
#0 0x5555555e7236 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int) /home/fuzz/libde265/libde265/fallback-motion.cc:179
#1 0x5555557b9ed3 in acceleration_functions::put_unweighted_pred(void*, long, short const*, long, int, int, int) const ../libde265/acceleration.h:262
#2 0x5555557a2a90 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:611
#3 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155
#4 0x555555683316 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
#5 0x5555556878c1 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4497
#6 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
#7 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
#8 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
#9 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
#10 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
#11 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
#12 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
#13 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
#14 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
#15 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
#16 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
#17 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
#18 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
#19 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/fuzz/libde265/libde265/fallback-motion.cc:179 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)
==3774965==ABORTING
POC
GDB
gdb --args ./dec265 ./poc_segv09.bin
─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: slice header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: slice header invalid
WARNING: slice header invalid
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: slice header invalid
WARNING: non-existing PPS referenced
Program received signal SIGSEGV, Segmentation fault.
0x00005555555e7237 in put_unweighted_pred_16_fallback (dst=0x0, dststride=0, src=0x7ffffffe6c00, srcstride=8, width=8, height=8, bit_depth=10) at fallback-motion.cc:179
179 out[0] = Clip_BitDepth((in[0] + offset1)>>shift1, bit_depth);
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x00005555555e7226 put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1689 test %sil,%sil
0x00005555555e7229 put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1692 je 0x5555555e7233 <put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1702>
0x00005555555e722b put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1694 mov %rdx,%rdi
0x00005555555e722e put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1697 callq 0x555555570ef0 <__asan_report_store2@plt>
0x00005555555e7233 put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1702 mov -0x8(%rbp),%rdx
0x00005555555e7237 put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1706 mov %cx,(%rdx)
0x00005555555e723a put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1709 mov -0x10(%rbp),%rdx
0x00005555555e723e put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1713 lea 0x2(%rdx),%rsi
0x00005555555e7242 put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1717 mov %rsi,%rdx
0x00005555555e7245 put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1720 mov %rdx,%rcx
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ─────────────────────────────────────────────────────────────���─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
rax 0x000055555581d520 rbx 0x00007ffffffeed20 rcx 0x0000000000000000 rdx 0x0000000000000000 rsi 0x0000000000000000 rdi 0x0000000000000000 rbp 0x00007ffffffe2880 rsp 0x00007ffffffe2830
r8 0x0000000000000001 r9 0x0000000000000008 r10 0x00005555555e6b8d r11 0x0000000000000020 r12 0x000055555581d520 r13 0x0000000000000010 r14 0x00000fffffffc54c r15 0x00007ffffffe2a60
rip 0x00005555555e7237 eflags [ PF ZF IF RF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
174 for (int y=0;y<height;y++) {
175 const int16_t* in = &src[y*srcstride];
176 uint16_t* out = &dst[y*dststride];
177
178 for (int x=0;x<width;x+=2) {
179 out[0] = Clip_BitDepth((in[0] + offset1)>>shift1, bit_depth);
180 out[1] = Clip_BitDepth((in[1] + offset1)>>shift1, bit_depth);
181 out+=2; in+=2;
182 }
183 }
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x00005555555e7237 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1706 at fallback-motion.cc:179
[1] from 0x00005555557b9ed4 in acceleration_functions::put_unweighted_pred(void*, long, short const*, long, int, int, int) const+484 at ../libde265/acceleration.h:262
[2] from 0x00005555557a2a91 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+22773 at motion.cc:611
[3] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155
[4] from 0x0000555555683317 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int)+2790 at slice.cc:4136
[5] from 0x00005555556878c2 in read_coding_unit(thread_context*, int, int, int, int)+14437 at slice.cc:4497
[6] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
[7] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
[8] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
[9] from 0x000055555568ea40 in read_slice_segment_data(thread_context*)+1762 at slice.cc:5054
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 3779666 name dec265 from 0x00005555555e7237 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1706 at fallback-motion.cc:179
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg dst = 0x0: Cannot access memory at address 0x0, dststride = 0, src = 0x7ffffffe6c00: 0, srcstride = 8, width = 8, height = 8, bit_depth = 10
loc x = 0, in = 0x7ffffffe6c00: 0, out = 0x0: Cannot access memory at address 0x0, y = 0, shift1 = 4, offset1 = 8, __PRETTY_FUNCTION__ = "void put_unweighted_pred_16_fallback(uint16_t*, ptrdiff_t, const int16_t*, ptrdiff_t, int, int, int…
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>>
Impact
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
coldtobi commented
According to the Debian security tracker, this is CVE-2023-24757