Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:987
git log commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)
git clone https://github.com/strukturag/libde265.git cd libde265 ./autogen.sh export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./configure --disable-shared make -j
cd dec265 ./dec265 ./poc_segv02.bin WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: maximum number of reference pictures exceeded WARNING: CTB outside of image area (concealing stream error...) WARNING: maximum number of reference pictures exceeded WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: non-existing PPS referenced WARNING: CTB outside of image area (concealing stream error...) WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: CTB outside of image area (concealing stream error...) AddressSanitizer:DEADLYSIGNAL ================================================================= ==7777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x561cd0288664 bp 0x000000000008 sp 0x7ffc7e060af0 T0) ==7777==The signal is caused by a READ memory access. ==7777==Hint: address points to the zero page. #0 0x561cd0288663 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 #1 0x561cd0288663 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /home/fuzz/libde265/libde265/x86/sse-motion.cc:987 #2 0x561cd032c6ab in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296 #3 0x561cd032c6ab in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:205 #4 0x561cd0323067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412 #5 0x561cd0323edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141 #6 0x561cd020f601 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314 #7 0x561cd02182e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652 #8 0x561cd02188b6 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4638 #9 0x561cd021a3db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741 #10 0x561cd021d0c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054 #11 0x561cd0126487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852 #12 0x561cd0129ca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954 #13 0x561cd012a934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739 #14 0x561cd012e1c7 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697 #15 0x561cd012f62c in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239 #16 0x561cd0130df5 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327 #17 0x561cd00f5f9d in main /home/fuzz/libde265/dec265/dec265.cc:764 #18 0x7f8428229082 in __libc_start_main ../csu/libc-start.c:308 #19 0x561cd00fa0dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 in _mm_loadl_epi64(long long __vector(2) const*) ==7777==ABORTING
poc_segv02.bin
gdb --args ./dec265 ./poc_segv02.bin ─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: maximum number of reference pictures exceeded WARNING: CTB outside of image area (concealing stream error...) WARNING: maximum number of reference pictures exceeded WARNING: CTB outside of image area (concealing stream error...) WARNING: CTB outside of image area (concealing stream error...) WARNING: non-existing PPS referenced WARNING: CTB outside of image area (concealing stream error...) WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: CTB outside of image area (concealing stream error...) Program received signal SIGSEGV, Segmentation fault. _mm_loadl_epi64(long long __vector(2) const*) (__P=<optimized out>) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 709 return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P); ─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x0000555555706650 _mm_loadl_epi64(long long __vector(2) const*)+84 setle %r10b 0x0000555555706654 _mm_loadl_epi64(long long __vector(2) const*)+88 test %dil,%dil 0x0000555555706657 _mm_loadl_epi64(long long __vector(2) const*)+91 setne %r11b 0x000055555570665b _mm_loadl_epi64(long long __vector(2) const*)+95 test %r11b,%r10b 0x000055555570665e _mm_loadl_epi64(long long __vector(2) const*)+98 jne 0x55555570713a <ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+4010> 0x0000555555706664 _mm_loadl_epi64(long long __vector(2) const*)+104 movq 0x0(%rbp),%xmm7 0x0000555555706669 _mm_loadl_epi64(long long __vector(2) const*)+109 mov %r12,%r9 0x000055555570666c _mm_loadl_epi64(long long __vector(2) const*)+112 shr $0x3,%r9 0x0000555555706670 _mm_loadl_epi64(long long __vector(2) const*)+116 cmpw $0x0,0x7fff8000(%r9) 0x0000555555706679 _mm_loadl_epi64(long long __vector(2) const*)+125 punpcklbw %xmm6,%xmm7 ─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Registers ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── rax 0x0000000000000001 rbx 0x0000000000000000 rcx 0xffffffffffffffe0 rdx 0x00005555557f0fc0 rsi 0x0000000000000000 rdi 0x0000000000000000 rbp 0x0000000000000008 rsp 0x00007ffffffde7f0 r8 0x0000000000000008 r9 0x0000000000000001 r10 0x0000000000000001 r11 0x0000000000000000 r12 0x00007ffffffe66a0 r13 0x0000000000000000 r14 0x0000000000000008 r15 0x00000aaaaaafe2a1 rip 0x0000555555706664 eflags [ PF ZF IF RF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 ─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 704 } 705 706 extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__)) 707 _mm_loadl_epi64 (__m128i_u const *__P) 708 { 709 return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P); 710 } 711 712 extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__)) 713 _mm_loadu_si64 (void const *__P) ─── Stack ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���──────────────────────────────────────────────────────────────────── [0] from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 [1] from 0x0000555555706664 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+1236 at sse-motion.cc:987 [2] from 0x00005555557aa6ac in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const+182 at ../libde265/acceleration.h:296 [3] from 0x00005555557aa6ac in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+7260 at motion.cc:205 [4] from 0x00005555557a1068 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+26328 at ../libde265/image.h:301 [5] from 0x00005555557a1ede in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+446 at motion.cc:2141 [6] from 0x000055555568d602 in read_coding_unit(thread_context*, int, int, int, int)+8402 at slice.cc:4314 [7] from 0x00005555556962e2 in read_coding_quadtree(thread_context*, int, int, int, int)+2834 at slice.cc:4652 [8] from 0x00005555556968b7 in read_coding_quadtree(thread_context*, int, int, int, int)+4327 at slice.cc:4638 [9] from 0x0000555555697b83 in read_coding_tree_unit(thread_context*)+1587 at slice.cc:2861 [+] ─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [1] id 7781 name dec265 from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 ─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── arg __P = <optimized out> loc x = 0, y = 0, x1 = <optimized out>, x2 = <optimized out>, src = 0x8 <error: Cannot access memory at address 0x8>: Cannot access memory at address 0x8… ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── >>>
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
The text was updated successfully, but these errors were encountered:
052bacb
Thank you.
Sorry, something went wrong.
According to the Debian security tracker, this is CVE-2023-24752
No branches or pull requests
Description
NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:987
Version
Steps to reproduce
POC
poc_segv02.bin
GDB
Impact
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
The text was updated successfully, but these errors were encountered: