Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL Pointer Dereference in function put_weighted_pred_8_fallback at fallback-motion.cc:69
git log commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD) Author: Dirk Farin <dirk.farin@gmail.com> Date: Sat Jan 28 15:03:34 2023 +0100
git clone https://github.com/strukturag/libde265.git cd libde265 ./autogen.sh export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./configure --disable-shared make -j
cd dec265 ./dec265 ./poc_segv08.bin WARNING: non-existing PPS referenced AddressSanitizer:DEADLYSIGNAL ================================================================= ==3596870==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555555e5c61 bp 0x7ffffffe2930 sp 0x7ffffffe28e0 T0) ==3596870==The signal is caused by a WRITE memory access. ==3596870==Hint: address points to the zero page. #0 0x5555555e5c60 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int) /home/fuzz/libde265/libde265/fallback-motion.cc:69 #1 0x5555557ba002 in acceleration_functions::put_weighted_pred(void*, long, short const*, long, int, int, int, int, int, int) const ../libde265/acceleration.h:272 #2 0x5555557a124f in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:512 #3 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155 #4 0x5555556848c0 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314 #5 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652 #6 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861 #7 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741 #8 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054 #9 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852 #10 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954 #11 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739 #12 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697 #13 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239 #14 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327 #15 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362 #16 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764 #17 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308 #18 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/fuzz/libde265/libde265/fallback-motion.cc:69 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int) ==3596870==ABORTING
poc_segv08.bin
gdb --args ./dec265 ./poc_segv08.bin ─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". WARNING: non-existing PPS referenced Program received signal SIGSEGV, Segmentation fault. 0x00005555555e5c61 in put_weighted_pred_8_fallback (dst=0x0, dststride=0, src=0x7ffffffe6c90, srcstride=8, width=8, height=8, w=1, o=0, log2WD=6) at fallback-motion.cc:69 69 out[0] = Clip1_8bit(((in[0]*w + rnd)>>log2WD) + o); ─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x00005555555e5c51 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1111 test %cl,%cl 0x00005555555e5c53 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1113 je 0x5555555e5c5d <put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1123> 0x00005555555e5c55 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1115 mov %rdx,%rdi 0x00005555555e5c58 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1118 callq 0x555555570e00 <__asan_report_store1@plt> 0x00005555555e5c5d put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1123 mov -0x8(%rbp),%rdx 0x00005555555e5c61 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1127 mov %dil,(%rdx) 0x00005555555e5c64 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1130 addq $0x1,-0x8(%rbp) 0x00005555555e5c69 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1135 addq $0x2,-0x10(%rbp) 0x00005555555e5c6e put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1140 addl $0x1,-0x18(%rbp) 0x00005555555e5c72 put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1144 jmpq 0x5555555e5a29 <put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+559> ─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Registers ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── rax 0x000055555581d520 rbx 0x00007ffffffeedb0 rcx 0x0000000000000000 rdx 0x0000000000000000 rsi 0x0000000000000000 rdi 0x0000000000000000 rbp 0x00007ffffffe28e0 rsp 0x00007ffffffe2890 r8 0x0000000000000000 r9 0x0000000000000008 r10 0x00005555555e57fa r11 0x0000000000000000 r12 0x000055555581d520 r13 0x0000000000000010 r14 0x00000fffffffc55e r15 0x00007ffffffe2af0 rip 0x00005555555e5c61 eflags [ PF ZF IF RF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 ─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 64 for (int y=0;y<height;y++) { 65 const int16_t* in = &src[y*srcstride]; 66 uint8_t* out = &dst[y*dststride]; 67 68 for (int x=0;x<width;x++) { 69 out[0] = Clip1_8bit(((in[0]*w + rnd)>>log2WD) + o); 70 out++; in++; 71 } 72 } 73 } ─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [0] from 0x00005555555e5c61 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1127 at fallback-motion.cc:69 [1] from 0x00005555557ba003 in acceleration_functions::put_weighted_pred(void*, long, short const*, long, int, int, int, int, int, int) const+295 at ../libde265/acceleration.h:272 [2] from 0x00005555557a1250 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+16564 at motion.cc:512 [3] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155 [4] from 0x00005555556848c1 in read_coding_unit(thread_context*, int, int, int, int)+2148 at slice.cc:4314 [5] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652 [6] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861 [7] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741 [8] from 0x000055555568ea40 in read_slice_segment_data(thread_context*)+1762 at slice.cc:5054 [9] from 0x000055555558c206 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*)+3516 at decctx.cc:852 [+] ─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [1] id 3600511 name dec265 from 0x00005555555e5c61 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1127 at fallback-motion.cc:69 ─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── arg dst = 0x0: Cannot access memory at address 0x0, dststride = 0, src = 0x7ffffffe6c90: 0, srcstride = 8, width = 8, height = 8, w = 1, o = 0, log2WD = 6 loc x = 0, in = 0x7ffffffe6c90: 0, out = 0x0: Cannot access memory at address 0x0, y = 0, __PRETTY_FUNCTION__ = "void put_weighted_pred_8_fallback(uint8_t*, ptrdiff_t, const int16_t*, ptrdiff_t, int, int, int, in…, rnd = 32 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── >>> p out $1 = (uint8_t *) 0x0 >>>
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
The text was updated successfully, but these errors were encountered:
Fixed in 48eb7da
Sorry, something went wrong.
According to the Debian security tracker, this is CVE-2023-24755
No branches or pull requests
Description
NULL Pointer Dereference in function put_weighted_pred_8_fallback at fallback-motion.cc:69
Version
Steps to reproduce
POC
poc_segv08.bin
GDB
Impact
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
The text was updated successfully, but these errors were encountered: