You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x1930a5) in void apply_sao_internal(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int)
Version
$ ./dec265 -h
dec265 v1.0.8
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).
options:
-q, --quiet do not show decoded image
-t, --threads N set number of worker threads (0 - no threading)
-c, --check-hash perform hash check
-n, --nal input is a stream with 4-byte length prefixed NAL units
-f, --frames N set number of frames to process
-o, --output write YUV reconstruction
-d, --dump dump headers
-0, --noaccel do not use any accelerated code (SSE)
-v, --verbose increase verbosity level (up to 3 times)
-L, --no-logging disable logging
-B, --write-bytestream FILENAME write raw bytestream (from NAL input)
-m, --measure YUV compute PSNRs relative to reference YUV
-T, --highest-TID selecthighest temporal sublayer to decode
--disable-deblocking disable deblocking filter
--disable-sao disable sample-adaptive offset filter
-h, --help show help
Replay
git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc17-1
ASAN
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==25786==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000006350 at pc 0x7f81f6c790a6 bp 0x7fff712d0990 sp 0x7fff712d0980
READ of size 1 at 0x611000006350 thread T0
#0 0x7f81f6c790a5 in void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int) (/libde265/build/libde265/liblibde265.so+0x1930a5)#1 0x7f81f6c773b6 in void apply_sao<unsigned char>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned char const*, int, unsigned char*, int) (/libde265/build/libde265/liblibde265.so+0x1913b6)#2 0x7f81f6c75761 in apply_sample_adaptive_offset_sequential(de265_image*) (/libde265/build/libde265/liblibde265.so+0x18f761)#3 0x7f81f6c03a5d in decoder_context::run_postprocessing_filters_sequential(de265_image*) (/libde265/build/libde265/liblibde265.so+0x11da5d)#4 0x7f81f6bfaecf in decoder_context::decode_some(bool*) (/libde265/build/libde265/liblibde265.so+0x114ecf)#5 0x7f81f6bfa93d in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/libde265/build/libde265/liblibde265.so+0x11493d)#6 0x7f81f6bfd43e in decoder_context::decode_NAL(NAL_unit*) (/libde265/build/libde265/liblibde265.so+0x11743e)#7 0x7f81f6bfdab3 in decoder_context::decode(int*) (/libde265/build/libde265/liblibde265.so+0x117ab3)#8 0x7f81f6be4e95 in de265_decode (/libde265/build/libde265/liblibde265.so+0xfee95)#9 0x557f78530bc9 in main (/libde265/build/dec265/dec265+0x6bc9)#10 0x7f81f6716c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)#11 0x557f7852e9b9 in _start (/libde265/build/dec265/dec265+0x49b9)
Address 0x611000006350 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x1930a5) in void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int)
Shadow bytes around the buggy address:
0x0c227fff8c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c227fff8c60: fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa
0x0c227fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25786==ABORTING
Description
Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x1930a5) in void apply_sao_internal(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int)
Version
Replay
ASAN
POC
https://github.com/FDU-Sec/poc/blob/main/libde265/poc17-1
https://github.com/FDU-Sec/poc/blob/main/libde265/poc17-2
Environment
Credit
Peng Deng (Fudan University)
The text was updated successfully, but these errors were encountered: