Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int) #369

Closed
xidoo123 opened this issue Dec 18, 2022 · 5 comments

Comments

@xidoo123
Copy link

Description

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int)

Version info

 dec265  v1.0.9
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 653.bin

ASAN

WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
SPS error: TB > CB
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==732766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000007d8 at pc 0x7ff23d2ac50e bp 0x7ffce559d1f0 sp 0x7ffce559d1e0
WRITE of size 2 at 0x6070000007d8 thread T0
    #0 0x7ff23d2ac50d in de265_image::set_SliceAddrRS(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1ec50d)
    #1 0x7ff23d29fb85 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfb85)
    #2 0x7ff23d2a8f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
    #3 0x7ff23d2aac3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
    #4 0x7ff23d1fde6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
    #5 0x7ff23d1fe673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
    #6 0x7ff23d1fd311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
    #7 0x7ff23d200345 in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140345)
    #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
    #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
    #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7ff23cb8ee3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x564bf4c027c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)

0x6070000007d8 is located 0 bytes to the right of 72-byte region [0x607000000790,0x6070000007d8)
allocated by thread T0 here:
    #0 0x7ff23d50d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7ff23d2490b4 in MetaDataArray<CTB_info>::alloc(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1890b4)
    #2 0x7ff23d245381 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x185381)
    #3 0x7ff23d2279fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
    #4 0x7ff23d206b0d in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x146b0d)
    #5 0x7ff23d1fc970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
    #6 0x7ff23d1ffbe6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
    #7 0x7ff23d20024c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
    #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
    #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
    #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int)
Shadow bytes around the buggy address:
  0x0c0e7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff80b0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff80d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e7fff80f0: fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0e7fff8100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff8120: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==732766==ABORTING

POC

653.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

@coldtobi
Copy link

@xidoo123 is there a CVE associated with this report?

@farindk
Copy link
Contributor

farindk commented Jan 24, 2023

Does not segfault anymore with the recent fixes (current: 5583f98).
Now stops with an assertion:

dec265: ../libde265/image.h:132: DataUnit& MetaDataArray<DataUnit>::get(int, int) [with DataUnit = CTB_info]: Assertion `unitY >= 0 && unitY < height_in_units' failed.

@fancycode
Copy link
Member

Assertions will not be available in release builds, so this will still trigger the overflow. Even if it would assert, you could cause a service to core dump by uploading such a file, leading to a denial of service.

IMHO would be better to handle this more gracefully.

@farindk
Copy link
Contributor

farindk commented Jan 25, 2023

Root cause fixed in 2f0430e.

@coldtobi
Copy link

coldtobi commented Mar 6, 2023

The Debian security tracker thinks this is: CVE-2022-47665

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants