New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow in sse-motion.cc: ff_hevc_put_weighted_pred_avg_8_sse #339
Labels
Comments
|
According to Debian this is CVE-2022-43243 |
coldtobi
pushed a commit
to coldtobi/libde265
that referenced
this issue
Dec 12, 2022
(as e.g mc_chroma is using the sps to determine picture properties, like pic_width_in_luma_samples and pic_height_in_luma_samples, I *think* this is more correct. This PR is for discussion. (See strukturag#345.) It makes the failures go away, but that does not mean it's correct :) The following poc will be stop failing if (only) this patch is applied: - poc2 strukturag#336 - CVE-2022-43238 - poc4 strukturag#338 - CVE-2022-43241 - poc6-1, poc6-2 strukturag#340 - CVE-2022-43242 - poc7-1, poc7-2 strukturag#341 - CVE-2022-43239 - poc8-1 strukturag#342 - CVE-2022-43244 - poc9-3 strukturag#343 - CVE-2022-43236 - poc10-2, poc10-3 strukturag#344 - CVE-2022-43237 - poc16 strukturag#350 - poc19 strukturag#353 The following are still failing if only this patch is applied, but they stop failing if strukturag#365 is applied as well, but will still fail with ONLY strukturag#365 applied (IOW, both are needed) - poc1 strukturag#335 - CVE-2022-43240 - poc3 strukturag#337 - CVE-2022-43235 - poc5 strukturag#339 - CVE-2022-43423 - poc9-1,poc9-2, poc9-4 strukturag#343 - CVE-2022-43236 - poc14 strukturag#348 - CVE-2022-43253 - poc15 strukturag#349 - CVE-2022-43248 - poc17-1, poc17-2 strukturag#351 - poc18 strukturag#352 - CVE-2022-43245
farindk
added a commit
that referenced
this issue
Jan 24, 2023
|
Should be fixed by #375 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x25f5ed) in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int)
Version
Replay
ASAN
WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: CTB outside of image area (concealing stream error...) WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced ================================================================= ==13339==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b0000145b0 at pc 0x7f6f8c4ec5ee bp 0x7fff915210c0 sp 0x7fff915210b0 WRITE of size 16 at 0x62b0000145b0 thread T0 #0 0x7f6f8c4ec5ed in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int) (/libde265/build/libde265/liblibde265.so+0x25f5ed) #1 0x7f6f8c403bbe in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const (/libde265/build/libde265/liblibde265.so+0x176bbe) #2 0x7f6f8c3f7c6a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/libde265/build/libde265/liblibde265.so+0x16ac6a) #3 0x7f6f8c40390f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x17690f) #4 0x7f6f8c43e7e3 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b17e3) #5 0x7f6f8c440264 in read_coding_unit(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b3264) #6 0x7f6f8c441250 in read_coding_quadtree(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4250) #7 0x7f6f8c438726 in read_coding_tree_unit(thread_context*) (/libde265/build/libde265/liblibde265.so+0x1ab726) #8 0x7f6f8c4419ea in decode_substream(thread_context*, bool, bool) (/libde265/build/libde265/liblibde265.so+0x1b49ea) #9 0x7f6f8c44370f in read_slice_segment_data(thread_context*) (/libde265/build/libde265/liblibde265.so+0x1b670f) #10 0x7f6f8c3a26d2 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/libde265/build/libde265/liblibde265.so+0x1156d2) #11 0x7f6f8c3a2ec1 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/libde265/build/libde265/liblibde265.so+0x115ec1) #12 0x7f6f8c3a1c0f in decoder_context::decode_some(bool*) (/libde265/build/libde265/liblibde265.so+0x114c0f) #13 0x7f6f8c3a193d in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/libde265/build/libde265/liblibde265.so+0x11493d) #14 0x7f6f8c3a443e in decoder_context::decode_NAL(NAL_unit*) (/libde265/build/libde265/liblibde265.so+0x11743e) #15 0x7f6f8c3a4ab3 in decoder_context::decode(int*) (/libde265/build/libde265/liblibde265.so+0x117ab3) #16 0x7f6f8c38be95 in de265_decode (/libde265/build/libde265/liblibde265.so+0xfee95) #17 0x560fb29a0bc9 in main (/libde265/build/dec265/dec265+0x6bc9) #18 0x7f6f8bebdc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #19 0x560fb299e9b9 in _start (/libde265/build/dec265/dec265+0x49b9) 0x62b0000145b0 is located 160 bytes to the right of 25360-byte region [0x62b00000e200,0x62b000014510) allocated by thread T0 here: #0 0x7f6f8c8b4790 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdf790) #1 0x7f6f8c3dd1cb in ALLOC_ALIGNED(unsigned long, unsigned long) (/libde265/build/libde265/liblibde265.so+0x1501cb) #2 0x7f6f8c3dd99d in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/libde265/build/libde265/liblibde265.so+0x15099d) #3 0x7f6f8c3dfd1a in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/libde265/build/libde265/liblibde265.so+0x152d1a) #4 0x7f6f8c3c40cc in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/libde265/build/libde265/liblibde265.so+0x1370cc) #5 0x7f6f8c3ab3ff in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/libde265/build/libde265/liblibde265.so+0x11e3ff) #6 0x7f6f8c3a1246 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/libde265/build/libde265/liblibde265.so+0x114246) #7 0x7f6f8c3a443e in decoder_context::decode_NAL(NAL_unit*) (/libde265/build/libde265/liblibde265.so+0x11743e) #8 0x7f6f8c3a4ab3 in decoder_context::decode(int*) (/libde265/build/libde265/liblibde265.so+0x117ab3) #9 0x7f6f8c38be95 in de265_decode (/libde265/build/libde265/liblibde265.so+0xfee95) #10 0x560fb29a0bc9 in main (/libde265/build/dec265/dec265+0x6bc9) #11 0x7f6f8bebdc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) SUMMARY: AddressSanitizer: heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x25f5ed) in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int) Shadow bytes around the buggy address: 0x0c567fffa860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fffa870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fffa880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fffa890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c567fffa8a0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c567fffa8b0: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x0c567fffa8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fffa8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fffa8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fffa8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c567fffa900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==13339==ABORTINGPOC
https://github.com/FDU-Sec/poc/blob/main/libde265/poc5
Environment
Credit
Peng Deng (Fudan University)
The text was updated successfully, but these errors were encountered: