root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
root@ubuntu:# uname -a
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Test Configure
./configure
configure: ---------------------------------------
configure: Building dec265 example: yes
configure: Building sherlock265 example: no
configure: Building encoder: yes
configure: ---------------------------------------
Test Program
dec265 [infile]
Asan Output
root@ubuntu:~# ./dec265 libde265-put_weighted_bipred_16_fallback-heap_overflow.crash
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: pps header invalid
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
=================================================================
==97574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00001b510 at pc 0x000000432ac8 bp 0x7ffe6664b0a0 sp 0x7ffe6664b090
WRITE of size 2 at 0x62b00001b510 thread T0
#0 0x432ac7 in put_weighted_bipred_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:223
#1 0x52beeb in acceleration_functions::put_weighted_bipred(void*, long, short const*, short const*, long, int, int, int, int, int, int, int, int) const ../libde265/acceleration.h:286
#2 0x52112f in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:562
#3 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
#4 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
#5 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
#6 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
#7 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
#8 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
#9 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
#10 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
#11 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
#12 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
#13 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
#14 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
#15 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
#16 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
#17 0x7f349865a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#18 0x402b28 in _start (/root/dec265+0x402b28)
0x62b00001b510 is located 0 bytes to the right of 25360-byte region [0x62b000015200,0x62b00001b510)
allocated by thread T0 here:
#0 0x7f349955b076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
#1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
#2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
#3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
#4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
#5 0x414467 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2012
#6 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
#7 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
#8 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
#9 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
#10 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
#11 0x7f349865a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:223 put_weighted_bipred_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int, int, int, int, int, int)
Shadow bytes around the buggy address:
0x0c567fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c567fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fffb6a0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c567fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==97574==ABORTING
The poc is no longer triggering with the state in the master branch, as of today at
commit c96962c, I was bisecting to find when the poc
started to no longer trigger.
The test were commited on Debian unstable, gcc (Debian 12.2.0-14) 12.2.
Methology:
Starting point for all bisects were commit c43f2f8 (selected, as this is around the time where the CVEs were reported)
commit c43f2f8cd674bc7c78951b279ca0b1f883e1f276 (HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date: Thu Dec 19 11:04:40 2019 +0100
increase version number to v1.0.4
Bisecting is done using, so that git will report the first "good" commit. # git bisect start --term-new=fixed --term-old=unfixed
Bisecting is done using the CMake build system, using # cmake ../libde265 -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Debug
The pocs -- taken from the upstream issues (renamed for convience, so that the link to the CVE/issue is in the filename)
The test was done with: ./dec265/dec265 -q $POC
heap-buffer-overflow in put_weighted_bipred_16_fallback when decoding file
I found some problems during fuzzing
Test Version
dev version, git clone https://github.com/strukturag/libde265
Test Environment
root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
root@ubuntu:
# uname -a16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/LinuxLinux ubuntu 4.15.0-45-generic #48
Test Configure
./configure
configure: ---------------------------------------
configure: Building dec265 example: yes
configure: Building sherlock265 example: no
configure: Building encoder: yes
configure: ---------------------------------------
Test Program
dec265 [infile]Asan Output
POC file
libde265-put_weighted_bipred_16_fallback-heap_overflow.zip
password: leon.zhao.7
CREDIT
Zhao Liang, Huawei Weiran Labs
The text was updated successfully, but these errors were encountered: