You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
after adding a negative number the src will be somewhere before the mmaped area, therefore we can write anything before the mmaped area, there are libc before it, so if we can designed the added value, we can gain a code execution.
summary:
interger overflow at the function restore_tqb_pixels of hevc_filter.c
an heapoverflow bug which could lead to execute code in libbpg
interger overflow at hevc_filter.c:225
uint8_t *src = src1 + (((y - y0) << s->sps->log2_min_pu_size) >> vshift) * stride_src + ((((x - x0) << s->sps->log2_min_pu_size) >> hshift) << s->sps->pixel_shift);after adding a negative number the src will be somewhere before the mmaped area, therefore we can write anything before the mmaped area, there are libc before it, so if we can designed the added value, we can gain a code execution.
summary:
interger overflow at the function restore_tqb_pixels of hevc_filter.c
execute method:
./bpgdec poc -o /dev/null
asan
https://drive.google.com/open?id=1J3hTt8XHz7u7QDSNYxEuwFZTO6Baggl0
poc
https://drive.google.com/open?id=1bBD0fwywFycp3BbvA0XjcKw4P5pjdd23
The text was updated successfully, but these errors were encountered: