heap-buffer-overflow in function derive_spatial_luma_vector_prediction at motion.cc:1894

Question

heap-buffer-overflow in function derive_spatial_luma_vector_prediction at motion.cc:1894

Closed this issue 2 years ago · 2 comments

Description

Version

git log
commit bfb6de155f9fb015d2904cb4ef07809f17995276 (HEAD -> master, origin/master, origin/HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Sun Jan 29 12:20:48 2023 +0100

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j

cd dec265
./dec265 ./poc_hbo01.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: Too many warnings queued
=================================================================
==3163634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000ae1c at pc 0x5555557b561f bp 0x7ffffffee780 sp 0x7ffffffee770
READ of size 1 at 0x61b00000ae1c thread T0
    #0 0x5555557b561e in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) /home/fuzz/libde265/libde265/motion.cc:1894
    #1 0x5555557b708b in fill_luma_motion_vector_predictors(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, int, MotionVector*) /home/fuzz/libde265/libde265/motion.cc:1960
    #2 0x5555557b82d3 in luma_motion_vector_prediction(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2033
    #3 0x5555557b92d3 in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) /home/fuzz/libde265/libde265/motion.cc:2119
    #4 0x5555557b982d in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2157
    #5 0x555555683316 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
    #6 0x5555556878c1 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4497
    #7 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
    #8 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
    #9 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
    #10 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
    #11 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
    #12 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
    #13 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
    #14 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
    #15 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
    #16 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
    #17 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
    #18 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
    #19 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
    #20 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)

0x61b00000ae1c is located 20 bytes to the right of 1416-byte region [0x61b00000a880,0x61b00000ae08)
allocated by thread T0 here:
    #0 0x7ffff7692587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x55555558858e in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:633
    #2 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
    #3 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
    #4 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
    #5 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
    #6 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/libde265/libde265/motion.cc:1894 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
Shadow bytes around the buggy address:
  0x0c367fff9570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff95a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff95b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff95c0: 00 fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3163634==ABORTING

POC

poc_hbo01.bin

Impact

This vulnerability is capable of crashing software, bypass protection mechanism, modify of memory, and successful exploitation may lead to code execution.

Answer 1 · 2023-01-30T16:06:52.000Z

Thank you.

Answer 2 · 2023-03-04T07:42:32.000Z

According to the Debian security tracker, this is CVE-2023-25221