-
-
Notifications
You must be signed in to change notification settings - Fork 455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow in sse-motion.cc: ff_hevc_put_hevc_epel_pixels_8_sse #337
Comments
See strukturag#345 for my analysis and details… (This PR is just for discussion.) (The CVE references are obtained from the Debian security tracker, which links the issues.) This makes the following POCs stop failing: - poc3 (strukturag#337) - poc7-1 (strukturag#341) CVE-2022-43239 (note: does NOT fix poc7-2) - poc8-2, poc8-3, poc8-4 (strukturag#342) CVE-2022-43244 (note: does NOT fix poc8-1) - poc11-1, poc11-2 (strukturag#345) CVE-2022-43249 - poc12 (strukturag#346) - poc13 (strukturag#347) CVE-2022-43252 - poc16 (strukturag#350)
According to Debian this is CVE-2022-43235 |
(as e.g mc_chroma is using the sps to determine picture properties, like pic_width_in_luma_samples and pic_height_in_luma_samples, I *think* this is more correct. This PR is for discussion. (See strukturag#345.) It makes the failures go away, but that does not mean it's correct :) The following poc will be stop failing if (only) this patch is applied: - poc2 strukturag#336 - CVE-2022-43238 - poc4 strukturag#338 - CVE-2022-43241 - poc6-1, poc6-2 strukturag#340 - CVE-2022-43242 - poc7-1, poc7-2 strukturag#341 - CVE-2022-43239 - poc8-1 strukturag#342 - CVE-2022-43244 - poc9-3 strukturag#343 - CVE-2022-43236 - poc10-2, poc10-3 strukturag#344 - CVE-2022-43237 - poc16 strukturag#350 - poc19 strukturag#353 The following are still failing if only this patch is applied, but they stop failing if strukturag#365 is applied as well, but will still fail with ONLY strukturag#365 applied (IOW, both are needed) - poc1 strukturag#335 - CVE-2022-43240 - poc3 strukturag#337 - CVE-2022-43235 - poc5 strukturag#339 - CVE-2022-43423 - poc9-1,poc9-2, poc9-4 strukturag#343 - CVE-2022-43236 - poc14 strukturag#348 - CVE-2022-43253 - poc15 strukturag#349 - CVE-2022-43248 - poc17-1, poc17-2 strukturag#351 - poc18 strukturag#352 - CVE-2022-43245
I couldn't reproduce this (Ubuntu 16.04.7, GCC 5.4.0). Tried at v1.0.8 and c96962c. |
@coldtobi Since I apparently cannot reproduce the original issue in my setups, could you please verify that the issue is fixed? |
I can't reproduce this exact issue either… (Bisecting finds some old commit ~1.0.4 which triggers asan, but that is a complete different backtrace.) |
I think I'm seeing this issue (on a regular basis, security camera feed). As near as I can tell, this happens if it tries to do an accelerated ff_hevc_put_hevc_epel_pixels_8_sse variables: y = 3, height = 4, x = 0, width = 4
src = (uint8_t *) 0x7fffc857cffc "\204\204\204\204"<error: Cannot access memory at address 0x7fffc857d000> mc_chroma variables: xIntOffsC = 1276, yIntOffsC = 716, nPbWC = 4, nPbHC = 4, ref = 0x7fffc849c000, ref_stride = 1280 Reference Image Info: chroma_format = de265_chroma_420, width = 2560, height = 1440, chroma_width = 1280, chroma_height = 720, stride = 2560, chroma_stride = 1280, BitDepth_Y = 8, BitDepth_C = 8, SubWidthC = 2, SubHeightC = 2 Backtrace: #0 ff_hevc_put_hevc_epel_pixels_8_sse (dst=0x7fffcfffaaf0, dststride=8, _src=<optimized out>, srcstride=1280, width=4, height=4, mx=0, my=0, mcbuffer=0x0) at sse-motion.cc:1002
#1 0x00007ffff4084682 in acceleration_functions::put_hevc_epel (this=this@entry=0x7fffd004dda0, dst=dst@entry=0x7fffcfffaac0, dststride=dststride@entry=8, src=<optimized out>,
srcstride=srcstride@entry=1280, width=<optimized out>, height=4, mx=0, my=0, mcbuffer=0x0, bit_depth=8) at ../libde265/acceleration.h:296
#2 0x00007ffff4085537 in mc_chroma<unsigned char> (ctx=ctx@entry=0x7fffd004dcf0, sps=sps@entry=0x7fffd006e1e0, mv_x=<optimized out>, mv_y=<optimized out>, xP=xP@entry=2552, yP=yP@entry=1432,
out=0x7fffcfffaac0, out_stride=8, ref=0x7fffc849c000 '\203' <repeats 55 times>, "\202\200", '\177' <repeats 14 times>, "\200\200", '\201' <repeats 110 times>, "\200\177", '~' <repeats 15 times>...,
ref_stride=1280, nPbWC=4, nPbHC=4, bit_depth_C=8) at motion.cc:205
#3 0x00007ffff4083aae in generate_inter_prediction_samples (ctx=ctx@entry=0x7fffd004dcf0, shdr=shdr@entry=0x7fffd0068960, img=img@entry=0x7fffd00267e0, xC=xC@entry=2552, yC=yC@entry=1432, xB=xB@entry=0,
yB=0, nCS=8, nPbW=8, nPbH=8, vi=0x7fffcfffeb5c) at motion.cc:420
#4 0x00007ffff40844a6 in decode_prediction_unit (ctx=0x7fffd004dcf0, shdr=0x7fffd0068960, img=0x7fffd00267e0, motion=..., xC=xC@entry=2552, yC=yC@entry=1432, xB=0, yB=0, nCS=8, nPbW=8, nPbH=8, partIdx=0)
at motion.cc:2176
#5 0x00007ffff4091cbc in read_coding_unit (tctx=tctx@entry=0x7fffd0657988, x0=x0@entry=2552, y0=y0@entry=1432, log2CbSize=log2CbSize@entry=3, ctDepth=ctDepth@entry=2) at slice.cc:4314
#6 0x00007ffff40928ac in read_coding_quadtree (tctx=0x7fffd0657988, x0=2552, y0=1432, log2CbSize=3, ctDepth=2) at slice.cc:4652
#7 0x00007ffff4092831 in read_coding_quadtree (tctx=0x7fffd0657988, x0=2544, y0=1424, log2CbSize=4, ctDepth=<optimized out>) at slice.cc:4645
#8 0x00007ffff4092831 in read_coding_quadtree (tctx=tctx@entry=0x7fffd0657988, x0=x0@entry=2528, y0=y0@entry=1408, log2CbSize=5, ctDepth=ctDepth@entry=0) at slice.cc:4645
#9 0x00007ffff409298f in read_coding_tree_unit (tctx=tctx@entry=0x7fffd0657988) at slice.cc:2861
#10 0x00007ffff4092c6c in decode_substream (tctx=tctx@entry=0x7fffd0657988, block_wpp=block_wpp@entry=false, first_independent_substream=<optimized out>) at slice.cc:4741
#11 0x00007ffff4092e3a in thread_task_slice_segment::work (this=0x7fffd004b090) at slice.cc:4940
#12 0x00007ffff40986ce in worker_thread (pool_ptr=0x7fffd004e728) at threads.cc:233
#13 0x00007ffff7b66b4a in ?? () from /lib64/libc.so.6
#14 0x00007ffff7be965c in ?? () from /lib64/libc.so.6 |
Description
Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x262cc1) in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)
Version
Replay
ASAN
POC
https://github.com/FDU-Sec/poc/blob/main/libde265/poc3
Environment
Credit
Peng Deng (Fudan University)
The text was updated successfully, but these errors were encountered: