NULL Pointer Dereference in function ff_hevc_put_unweighted_pred_8_sse at sse-motion.cc:132

[JieyongMa]

Description

NULL Pointer Dereference in function ff_hevc_put_unweighted_pred_8_sse at sse-motion.cc:132

Version

git log
commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD)
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Sat Jan 28 15:03:34 2023 +0100

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j

cd dec265
./dec265 ./poc_segv04.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3264099==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555570abcc bp 0x7ffffffe2900 sp 0x7ffffffe2640 T0)
==3264099==The signal is caused by a WRITE memory access.
==3264099==Hint: address points to the zero page.
    #0 0x55555570abcb in _mm_storel_epi64(long long __vector(2)*, long long __vector(2)) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
    #1 0x55555570abcb in ff_hevc_put_unweighted_pred_8_sse(unsigned char*, long, short const*, long, int, int) /home/fuzz/libde265/libde265/x86/sse-motion.cc:132
    #2 0x5555557b9e08 in acceleration_functions::put_unweighted_pred(void*, long, short const*, long, int, int, int) const ../libde265/acceleration.h:260
    #3 0x5555557a2a90 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:611
    #4 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155
    #5 0x5555556848c0 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
    #6 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
    #7 0x555555689940 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4635
    #8 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
    #9 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
    #10 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
    #11 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
    #12 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
    #13 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
    #14 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
    #15 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
    #16 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
    #17 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
    #18 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
    #19 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
    #20 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733 in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))
==3264099==ABORTING

POC

poc_segv04.bin

GDB

gdb --args ./dec265 ./poc_segv04.bin

─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)

Program received signal SIGSEGV, Segmentation fault.
0x000055555570abcc in _mm_storel_epi64(long long __vector(2)*, long long __vector(2)) (__B=..., __P=0x0) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
733       *(__m64_u *)__P = (__m64) ((__v2di)__B)[0];
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x000055555570abb6  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+109 je     0x55555570abc5 <ff_hevc_put_unweighted_pred_8_sse(unsigned char*, long, short const*, long, int, int)+2543>
 0x000055555570abb8  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+111 mov    $0x8,%esi
 0x000055555570abbd  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+116 mov    %rdx,%rdi
 0x000055555570abc0  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+119 callq  0x555555571040 <__asan_report_store_n@plt>
 0x000055555570abc5  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+124 mov    -0x240(%rbp),%rdx
 0x000055555570abcc  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 mov    %r8,(%rdx)
 0x000055555570abcf  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+134 nop
~
~
~
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     rax 0x000055555581d520        rbx 0x00007ffffffeed40     rcx 0x0000000000000000     rdx 0x0000000000000000     rsi 0x0000000000000007     rdi 0x0000000000000000     rbp 0x00007ffffffe28b0     rsp 0x00007ffffffe25f0
      r8 0x0000000000000000         r9 0x0000000000000000     r10 0x0000000000000020     r11 0x0000000000000020     r12 0x000055555581d520     r13 0x0000000000000010     r14 0x00000fffffffc550     r15 0x00007ffffffe2a80
     rip 0x000055555570abcc     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
─── Source ─────────────────────────────────────────────────────────────────���──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 728  }
 729  
 730  extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
 731  _mm_storel_epi64 (__m128i_u *__P, __m128i __B)
 732  {
 733    *(__m64_u *)__P = (__m64) ((__v2di)__B)[0];
 734  }
 735  
 736  extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
 737  _mm_storeu_si64 (void *__P, __m128i __B)
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x000055555570abcc in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
[1] from 0x000055555570abcc in ff_hevc_put_unweighted_pred_8_sse(unsigned char*, long, short const*, long, int, int)+2550 at sse-motion.cc:132
[2] from 0x00005555557b9e09 in acceleration_functions::put_unweighted_pred(void*, long, short const*, long, int, int, int) const+281 at ../libde265/acceleration.h:260
[3] from 0x00005555557a2a91 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+22773 at motion.cc:611
[4] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155
[5] from 0x00005555556848c1 in read_coding_unit(thread_context*, int, int, int, int)+2148 at slice.cc:4314
[6] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
[7] from 0x0000555555689941 in read_coding_quadtree(thread_context*, int, int, int, int)+2634 at slice.cc:4635
[8] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
[9] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
[+]
─── Threads ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���──────────────────────────────────────────────────
[1] id 3272445 name dec265 from 0x000055555570abcc in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg __B = {[0] = 0, [1] = 0}, __P = 0x0: Cannot access memory at address 0x0
loc x = 0, y = 0, dst = 0x0: Cannot access memory at address 0x0, r0 = {[0] = 0, [1] = 0}, r1 = {[0] = 0, [1] = 0}, f0 = {[0] = 9007336695791648, [1] = 9007336695791648}
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> 

Impact

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

[novomesk]

I have the same using
heif-convert clusterfuzz-testcase-minimized-kimgio_heif_fuzzer-5139692086755328.heic output.png

Testfile:
segmentation_fault.zip

#0  ff_hevc_put_unweighted_pred_8_sse (_dst=<optimized out>, dststride=0, src=0x7ffffffefe90, srcstride=8, width=8, height=8) at sse-motion.cc:132
#1  0x00007ffff73bc007 in acceleration_functions::put_unweighted_pred (this=this@entry=0x55555557d7f0, _dst=_dst@entry=0x0, dststride=dststride@entry=0, src=src@entry=0x7ffffffefe90, srcstride=srcstride@entry=8, width=width@entry=8, height=8, 
    bit_depth=8) at ../libde265/acceleration.h:260
#2  0x00007ffff73bb73c in generate_inter_prediction_samples (ctx=ctx@entry=0x55555557d740, shdr=shdr@entry=0x555555587b50, img=img@entry=0x5555555880e0, xC=xC@entry=0, yC=yC@entry=0, xB=xB@entry=0, yB=0, nCS=8, nPbW=8, nPbH=8, vi=0x7fffffff7f2c)
    at motion.cc:611
#3  0x00007ffff73bbf48 in decode_prediction_unit (ctx=0x55555557d740, shdr=0x555555587b50, img=0x5555555880e0, motion=..., xC=xC@entry=0, yC=yC@entry=0, xB=0, yB=0, nCS=8, nPbW=8, nPbH=8, partIdx=0) at motion.cc:2155
#4  0x00007ffff73c9292 in read_coding_unit (tctx=tctx@entry=0x7fffffff82a0, x0=x0@entry=0, y0=y0@entry=0, log2CbSize=log2CbSize@entry=3, ctDepth=ctDepth@entry=3) at slice.cc:4314
#5  0x00007ffff73c9d8e in read_coding_quadtree (tctx=0x7fffffff82a0, x0=0, y0=0, log2CbSize=3, ctDepth=3) at slice.cc:4652
#6  0x00007ffff73c9cd0 in read_coding_quadtree (tctx=0x7fffffff82a0, x0=0, y0=0, log2CbSize=4, ctDepth=<optimized out>) at slice.cc:4635
#7  0x00007ffff73c9cd0 in read_coding_quadtree (tctx=0x7fffffff82a0, x0=0, y0=0, log2CbSize=5, ctDepth=<optimized out>) at slice.cc:4635
#8  0x00007ffff73c9cd0 in read_coding_quadtree (tctx=tctx@entry=0x7fffffff82a0, x0=x0@entry=0, y0=y0@entry=0, log2CbSize=6, ctDepth=ctDepth@entry=0) at slice.cc:4635
#9  0x00007ffff73c9e6d in read_coding_tree_unit (tctx=tctx@entry=0x7fffffff82a0) at slice.cc:2861
#10 0x00007ffff73ca13f in decode_substream (tctx=tctx@entry=0x7fffffff82a0, block_wpp=block_wpp@entry=false, first_independent_substream=first_independent_substream@entry=true) at slice.cc:4741
#11 0x00007ffff73ca531 in read_slice_segment_data (tctx=tctx@entry=0x7fffffff82a0) at slice.cc:5054
#12 0x00007ffff73a9bd4 in decoder_context::decode_slice_unit_sequential (this=this@entry=0x55555557d740, imgunit=imgunit@entry=0x555555599030, sliceunit=sliceunit@entry=0x5555555992e0) at decctx.cc:852
#13 0x00007ffff73aa088 in decoder_context::decode_slice_unit_parallel (this=this@entry=0x55555557d740, imgunit=imgunit@entry=0x555555599030, sliceunit=sliceunit@entry=0x5555555992e0) at decctx.cc:954
#14 0x00007ffff73aa16d in decoder_context::decode_some (this=this@entry=0x55555557d740, did_work=did_work@entry=0x7fffffffcc70) at decctx.cc:739
#15 0x00007ffff73ab358 in decoder_context::read_slice_NAL (this=this@entry=0x55555557d740, reader=..., nal=nal@entry=0x55555557f3c0, nal_hdr=...) at decctx.cc:697
#16 0x00007ffff73ab491 in decoder_context::decode_NAL (this=this@entry=0x55555557d740, nal=0x55555557f3c0) at decctx.cc:1239
#17 0x00007ffff73ab711 in decoder_context::decode (this=0x55555557d740, more=0x7fffffffcd94) at decctx.cc:1327
#18 0x00007ffff73a33da in de265_decode (de265ctx=<optimized out>, more=<optimized out>) at de265.cc:362
#19 0x00007ffff7f6e3bc in libde265_v1_decode_image (decoder_raw=0x55555557b900, out_img=0x7fffffffce50) at plugins/heif_decoder_libde265.cc:325
#20 0x00007ffff7f522ce in heif::HeifContext::decode_image_planar (this=0x5555555780f0, ID=<optimized out>, img=std::shared_ptr<heif::HeifPixelImage> (empty) = {...}, out_colorspace=out_colorspace@entry=heif_colorspace_RGB, 
    options=options@entry=0x55555557c010, alphaImage=false) at heif_context.cc:1190
#21 0x00007ffff7f5338b in heif::HeifContext::decode_image_user (this=<optimized out>, ID=<optimized out>, img=std::shared_ptr<heif::HeifPixelImage> (empty) = {...}, out_colorspace=heif_colorspace_RGB, out_chroma=heif_chroma_interleaved_RGBA, 
    options=0x55555557c010) at heif_context.cc:1095
#22 0x00007ffff7f465db in heif_decode_image (in_handle=0x55555557c2b0, out_img=0x7fffffffd118, colorspace=<optimized out>, chroma=<optimized out>, options=<optimized out>) at heif.cc:950
#23 0x00005555555597ae in main (argc=<optimized out>, argv=<optimized out>) at heif_convert.cc:372

[farindk]

The current batch of segfaults are all monochrome h265 stream. Motion-compensation for monochrome streams was not considered in the implementation of libde265 because there were no test-streams. (And I still don't have any valid streams.)