heap-buffer-overflow in put_qpel_0_0_fallback_16 when decoding file

[leonzhao7]

heap-buffer-overflow in put_qpel_0_0_fallback_16 when decoding file

I found some problems during fuzzing

Test Version

dev version, git clone https://github.com/strukturag/libde265

Test Environment

root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial

root@ubuntu:# uname -a
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Test Configure

./configure
configure: ---------------------------------------
configure: Building dec265 example: yes
configure: Building sherlock265 example: no
configure: Building encoder: yes
configure: ---------------------------------------

Test Program

dec265 [infile]

Asan Output

root@ubuntu:~# ./dec265 libde265-put_qpel_0_0_fallback_16-heap_overflow.crash
WARNING: non-existing PPS referenced
WARNING: pps header invalid
WARNING: non-existing PPS referenced
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: slice header invalid
WARNING: faulty reference picture list
WARNING: faulty reference picture list
WARNING: slice header invalid
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: slice header invalid
WARNING: slice header invalid
WARNING: faulty reference picture list
WARNING: coded parameter out of range
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==87307==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000131410 at pc 0x0000004334a0 bp 0x7ffc47b87000 sp 0x7ffc47b86ff0
READ of size 2 at 0x633000131410 thread T0
    #0 0x43349f in put_qpel_0_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) /root/src/libde265/libde265/fallback-motion.cc:471
    #1 0x52c405 in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const ../libde265/acceleration.h:338
    #2 0x52d20c in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:78
    #3 0x51f6f2 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:376
    #4 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
    #5 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
    #6 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
    #7 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
    #8 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
    #9 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
    #10 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
    #11 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
    #12 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
    #13 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
    #14 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
    #15 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
    #16 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
    #17 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
    #18 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
    #19 0x7f3dfef4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #20 0x402b28 in _start (/root/dec265+0x402b28)

0x633000131410 is located 0 bytes to the right of 101392-byte region [0x633000118800,0x633000131410)
allocated by thread T0 here:
    #0 0x7f3dffe4a076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
    #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
    #2 0x43e6da in de265_image_get_buffer /root/src/libde265/libde265/image.cc:128
    #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
    #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
    #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
    #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
    #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
    #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
    #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
    #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
    #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
    #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
    #13 0x7f3dfef4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:471 put_qpel_0_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int)
Shadow bytes around the buggy address:
  0x0c668001e230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668001e240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668001e250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668001e260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668001e270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c668001e280: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668001e290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668001e2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668001e2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668001e2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668001e2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==87307==ABORTING

POC file

libde265-put_qpel_0_0_fallback_16-heap_overflow.zip
password: leon.zhao.7

CREDIT

Zhao Liang, Huawei Weiran Labs

[coldtobi]

According to Debian this is CVE-2020-21603

[coldtobi]

The poc is no longer triggering with the state in the master branch, as of today at
commit c96962c, I was bisecting to find when the poc
started to no longer trigger.

The test were commited on Debian unstable, gcc (Debian 12.2.0-14) 12.2.

Methology:

Starting point for all bisects were commit c43f2f8 (selected, as this is around the time where the CVEs were reported)

commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu Dec 19 11:04:40 2019 +0100

    increase version number to v1.0.4

Bisecting is done using, so that git will report the first "good" commit.
# git bisect start --term-new=fixed --term-old=unfixed

Bisecting is done using the CMake build system, using
# cmake ../libde265 -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Debug

The pocs -- taken from the upstream issues (renamed for convience, so that the link to the CVE/issue is in the filename)
The test was done with:
./dec265/dec265 -q $POC

CVE-2020-21603-put_qpel_0_0_fallback_16-heap_overflow.crash

a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 is the first fixed commit
commit a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Tue Feb 23 15:11:09 2021 +0100

    return error when PCM bits parameter exceeds pixel depth (#225)

 libde265/de265.cc |  2 ++
 libde265/de265.h  |  3 ++-
 libde265/sps.cc   | 10 ++++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

git describe --contains a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25
v1.0.9~9

[farindk]

Thanks @leonzhao7 and @coldtobi