Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow in fallback-motion.cc in put_epel_16_fallback #347

Closed
fdu-sec opened this issue Oct 10, 2022 · 2 comments
Closed

Heap-buffer-overflow in fallback-motion.cc in put_epel_16_fallback #347

fdu-sec opened this issue Oct 10, 2022 · 2 comments
Labels
fix available

Comments

@fdu-sec
Copy link

fdu-sec commented Oct 10, 2022

Description

Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x1465fb) in put_epel_16_fallback(short*, long, unsigned short const*, long, int, int, int, int, short*, int)

Version

$ ./dec265 -h
 dec265  v1.0.8
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Replay

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc13

ASAN

WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
=================================================================
==64370==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00001b510 at pc 0x7f47d023f5fc bp 0x7ffd4845c300 sp 0x7ffd4845c2f0
READ of size 2 at 0x62b00001b510 thread T0
    #0 0x7f47d023f5fb in put_epel_16_fallback(short*, long, unsigned short const*, long, int, int, int, int, short*, int) (/libde265/build/libde265/liblibde265.so+0x1465fb)
    #1 0x7f47d026ffe8 in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const (/libde265/build/libde265/liblibde265.so+0x176fe8)
    #2 0x7f47d0271d75 in void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x178d75)
    #3 0x7f47d0262b2d in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/libde265/build/libde265/liblibde265.so+0x169b2d)
    #4 0x7f47d026f90f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x17690f)
    #5 0x7f47d02aa7e3 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b17e3)
    #6 0x7f47d02ac264 in read_coding_unit(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b3264)
    #7 0x7f47d02ad250 in read_coding_quadtree(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4250)
    #8 0x7f47d02a4726 in read_coding_tree_unit(thread_context*) (/libde265/build/libde265/liblibde265.so+0x1ab726)
    #9 0x7f47d02ad9ea in decode_substream(thread_context*, bool, bool) (/libde265/build/libde265/liblibde265.so+0x1b49ea)
    #10 0x7f47d02af70f in read_slice_segment_data(thread_context*) (/libde265/build/libde265/liblibde265.so+0x1b670f)
    #11 0x7f47d020e6d2 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/libde265/build/libde265/liblibde265.so+0x1156d2)
    #12 0x7f47d020eec1 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/libde265/build/libde265/liblibde265.so+0x115ec1)
    #13 0x7f47d020dc0f in decoder_context::decode_some(bool*) (/libde265/build/libde265/liblibde265.so+0x114c0f)
    #14 0x7f47d020d93d in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/libde265/build/libde265/liblibde265.so+0x11493d)
    #15 0x7f47d021043e in decoder_context::decode_NAL(NAL_unit*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #16 0x7f47d0210ab3 in decoder_context::decode(int*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #17 0x7f47d01f7e95 in de265_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #18 0x555f566e3bc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #19 0x7f47cfd29c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #20 0x555f566e19b9 in _start (/libde265/build/dec265/dec265+0x49b9)

0x62b00001b510 is located 0 bytes to the right of 25360-byte region [0x62b000015200,0x62b00001b510)
allocated by thread T0 here:
    #0 0x7f47d0720790 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdf790)
    #1 0x7f47d02491cb in ALLOC_ALIGNED(unsigned long, unsigned long) (/libde265/build/libde265/liblibde265.so+0x1501cb)
    #2 0x7f47d024999d in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/libde265/build/libde265/liblibde265.so+0x15099d)
    #3 0x7f47d024bd1a in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/libde265/build/libde265/liblibde265.so+0x152d1a)
    #4 0x7f47d02300cc in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/libde265/build/libde265/liblibde265.so+0x1370cc)
    #5 0x7f47d02173ff in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/libde265/build/libde265/liblibde265.so+0x11e3ff)
    #6 0x7f47d020d246 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/libde265/build/libde265/liblibde265.so+0x114246)
    #7 0x7f47d021043e in decoder_context::decode_NAL(NAL_unit*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #8 0x7f47d0210ab3 in decoder_context::decode(int*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #9 0x7f47d01f7e95 in de265_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #10 0x555f566e3bc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #11 0x7f47cfd29c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x1465fb) in put_epel_16_fallback(short*, long, unsigned short const*, long, int, int, int, int, short*, int)
Shadow bytes around the buggy address:
  0x0c567fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c567fffb6a0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==64370==ABORTING

POC

https://github.com/FDU-Sec/poc/blob/main/libde265/poc13

Environment

Ubuntu 18.04.5 LTS
Clang 10.0.1
gcc 7.5.0

Credit

Peng Deng (Fudan University)
coldtobi pushed a commit to coldtobi/libde265 that referenced this issue Dec 12, 2022
Try to mitigate asan failures.
97dd153 
See strukturag#345 for my analysis and details…

(This PR is just for discussion.)

(The CVE references are obtained from the Debian security tracker,
which links the issues.)

This makes the following POCs stop failing:

- poc3 (strukturag#337)
- poc7-1 (strukturag#341) CVE-2022-43239 (note: does NOT fix poc7-2)
- poc8-2, poc8-3, poc8-4 (strukturag#342) CVE-2022-43244   (note: does NOT fix poc8-1)
- poc11-1, poc11-2 (strukturag#345) CVE-2022-43249
- poc12 (strukturag#346)
- poc13 (strukturag#347) CVE-2022-43252
- poc16 (strukturag#350)
This was referenced Dec 12, 2022
Open
Closed
@coldtobi
Copy link

According to Debian this is CVE-2022-43252

@farindk
Copy link
Contributor

farindk commented Jan 24, 2023

Should be fixed by #374

@farindk farindk closed this as completed Jan 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fix available
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@farindk @coldtobi @fdu-sec