Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in mc_luma when decoding file #239

Closed
leonzhao7 opened this issue Dec 24, 2019 · 2 comments
Closed

heap-buffer-overflow in mc_luma when decoding file #239

leonzhao7 opened this issue Dec 24, 2019 · 2 comments

Comments

@leonzhao7
Copy link

heap-buffer-overflow in mc_luma when decoding file

I found some problems during fuzzing

Test Version

dev version, git clone https://github.com/strukturag/libde265

Test Environment

root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial

root@ubuntu:# uname -a
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Test Configure

./configure
configure: ---------------------------------------
configure: Building dec265 example: yes
configure: Building sherlock265 example: no
configure: Building encoder: yes
configure: ---------------------------------------

Test Program

dec265 [infile]

Asan Output

root@ubuntu:~# ./dec265 libde265-mc_luma-heap_overflow.crash
WARNING: pps header invalid
=================================================================
==83007==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000008d1a at pc 0x00000052cd7b bp 0x7ffefc0bd7e0 sp 0x7ffefc0bd7d0
READ of size 2 at 0x626000008d1a thread T0
    #0 0x52cd7a in void mc_luma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:148
    #1 0x51f594 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:370
    #2 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
    #3 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
    #4 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
    #5 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
    #6 0x47b5ac in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4633
    #7 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
    #8 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
    #9 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
    #10 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
    #11 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
    #12 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
    #13 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
    #14 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
    #15 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
    #16 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
    #17 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
    #18 0x7f5ee6c5b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #19 0x402b28 in _start (/root/dec265+0x402b28)

0x626000008d1a is located 10 bytes to the right of 11280-byte region [0x626000006100,0x626000008d10)
allocated by thread T0 here:
    #0 0x7f5ee7b5c076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
    #2 0x43e6da in de265_image_get_buffer /root/src/libde265/libde265/image.cc:128
    #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
    #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
    #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
    #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
    #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
    #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
    #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
    #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
    #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
    #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
    #13 0x7f5ee6c5b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/motion.cc:148 void mc_luma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int)
Shadow bytes around the buggy address:
  0x0c4c7fff9150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff9190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff91a0: 00 00 fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==83007==ABORTING

POC file

libde265-mc_luma-heap_overflow.zip
password: leon.zhao.7

CREDIT

Zhao Liang, Huawei Weiran Labs
@coldtobi
Copy link

According to Debian this is CVE-2020-21595

@coldtobi
Copy link

The poc is no longer triggering with the state in the master branch, as of today at
commit c96962c, I was bisecting to find when the poc
started to no longer trigger.

The test were commited on Debian unstable, gcc (Debian 12.2.0-14) 12.2.

Methology:

Starting point for all bisects were commit c43f2f8 (selected, as this is around the time where the CVEs were reported)

commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu Dec 19 11:04:40 2019 +0100

    increase version number to v1.0.4

Bisecting is done using, so that git will report the first "good" commit.
# git bisect start --term-new=fixed --term-old=unfixed

Bisecting is done using the CMake build system, using
# cmake ../libde265 -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Debug

The pocs -- taken from the upstream issues (renamed for convience, so that the link to the CVE/issue is in the filename)
The test was done with:
./dec265/dec265 -q $POC

CVE-2020-21595-issue239-libde265-mc_luma-heap_overflow.crash

a3f1c6a is the first fixed commit

commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)


git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9

@farindk farindk closed this as completed Jan 24, 2023
@armorcodegithubpreprod armorcodegithubpreprod bot mentioned this issue Mar 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@farindk @leonzhao7 @coldtobi