Skip to content

SEGV:occured in function decoder_context::process_slice_segment_header at decctx.cc:2007:20 #393

Closed
@blu3sh0rk

Description

@blu3sh0rk

Desctiption

A SEGV has occurred when running program dec265
NULL Pointer Dereference in function decoder_context::process_slice_segment_header at decctx.cc:2007:20

Version

dec265  v1.0.11

git log
commit fef32a7761993702c699dfbe3699e44374eb44b5 (HEAD -> master, origin/master, origin/HEAD)
Merge: 3aea5a45 c2b60f1c
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu Feb 9 11:13:24 2023 +0100

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 SEGV-POC
WARNING: non-existing PPS referenced
WARNING: maximum number of reference pictures exceeded
WARNING: maximum number of reference pictures exceeded
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3838968==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e2220 bp 0x7ffc6cbf5fd0 sp 0x7ffc6cbf5ac0 T0)
==3838968==The signal is caused by a READ memory access.
==3838968==Hint: address points to the zero page.
    #0 0x4e2220 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:2007:20
    #1 0x4e1012 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:649:7
    #2 0x4eb7f1 in decoder_context::decode_NAL(NAL_unit*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:1240:11
    #3 0x4ec6a1 in decoder_context::decode(int*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:1328:16
    #4 0x4d3645 in de265_decode /home/lzy/fuzz/oss/libde265/libde265/de265.cc:367:15
    #5 0x4d0363 in main /home/lzy/fuzz/oss/libde265/dec265/dec265.cc:764:17
    #6 0x7efcae0bc082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41e5bd in _start (/home/lzy/fuzz/oss/libde265/dec265/dec265+0x41e5bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:2007:20 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*)
==3838968==ABORTING

POC

https://github.com/blu3sh0rk/Fuzzing-crash/blob/main/SEGV.zip

GDB INFO

WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────$rax   : 0x0               
$rbx   : 0x007fffffff3180  →  0x0061b0000f1494  →  0x0000000000000000
$rcx   : 0x6f2             
$rdx   : 0x637             
$rsp   : 0x007fffffff30e0  →  0x0000000041b58ab3
$rbp   : 0x007fffffff35f0  →  0x007fffffff3970  →  0x007fffffff3b30  →  0x007fffffff3ca0  →  0x007fffffff3cd0  →  0x007fffffffe0c0  →  0x0000000000000000
$rsi   : 0x600             
$rdi   : 0x00621000000718  →  0x0000000000000000
$rip   : 0x000000004e2220  →  <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov al, BYTE PTR [rax]
$r8    : 0x00621000000100  →  0x000000006f97b0  →  0x000000004db200  →  <decoder_context::~decoder_context()+0> push rbp
$r9    : 0x007ffff43ff800  →  0xbeddbeddddbeddbe
$r10   : 0x24b             
$r11   : 0x240             
$r12   : 0x0000000041e590  →  <_start+0> endbr64 
$r13   : 0x007fffffffe1b0  →  0x0000000000000002
$r14   : 0x200             
$r15   : 0x0               
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────0x007fffffff30e0│+0x0000: 0x0000000041b58ab3     ← $rsp
0x007fffffff30e8│+0x0008: 0x000000006fac63  →  "4 32 16 7 agg.tmp 64 16 9 agg.tmp36 96 16 9 agg.tm[...]"
0x007fffffff30f0│+0x0010: 0x000000004e1eb0  →  <decoder_context::process_slice_segment_header(slice_segment_header*,+0> push rbp
0x007fffffff30f8│+0x0018: 0x006290000b4418  →  0xbebebe0000000004
0x007fffffff3100│+0x0020: 0x0061b0000f1534  →  0x0000000000000000
0x007fffffff3108│+0x0028: 0x006290000b649c  →  0x00000d00000001  →  0x0000000000000000
0x007fffffff3110│+0x0030: 0x0061b0000f14cc  →  0x0000000000000002
0x007fffffff3118│+0x0038: 0x006290000b649c  →  0x00000d00000001  →  0x0000000000000000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────     0x4e220d <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    rdi, QWORD PTR [rbx+0x320]
     0x4e2214 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> call   0x49f990 <__asan_report_load1>
     0x4e2219 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    rax, QWORD PTR [rbx+0x320]
 →   0x4e2220 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    al, BYTE PTR [rax]
     0x4e2222 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> and    al, 0x1
     0x4e2224 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> movzx  eax, al
     0x4e2227 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> cmp    eax, 0x0
     0x4e222a <decoder_context::process_slice_segment_header(slice_segment_header*,+0> jne    0x4e22aa <decoder_context::process_slice_segment_header(slice_segment_header*,  de265_error*,  long,  nal_header*,  void*)+1018>
     0x4e2230 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    ecx, DWORD PTR ds:0x75b760
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:decctx.cc+2007 ────   2002  
   2003  
   2004    // get PPS and SPS for this slice
   2005  
   2006    int pps_id = hdr->slice_pic_parameter_set_id;
           // pps_id=0x1
 → 2007    if (pps[pps_id]->pps_read==false) {
   2008      logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
   2009      assert(false); // TODO
   2010    }
   2011  
   2012    current_pps = pps[pps_id];
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────[#0] Id 1, Name: "dec265", stopped 0x4e2220 in decoder_context::process_slice_segment_header (), reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────[#0] 0x4e2220 → decoder_context::process_slice_segment_header(this=0x621000000100, hdr=0x61b0000f1180, err=0x7fffffff3630, pts=0xa000, nal_hdr=0x7fffffff39e0, user_data=0x2)
[#1] 0x4e1013 → decoder_context::read_slice_NAL(this=0x621000000100, reader=@0x7fffffff39a0, nal=0x606000020d20, nal_hdr=@0x7fffffff39e0)
[#2] 0x4eb7f2 → decoder_context::decode_NAL(this=0x621000000100, nal=0x606000020d20)
[#3] 0x4ec6a2 → decoder_context::decode(this=0x621000000100, more=0x7fffffffde50)
[#4] 0x4d3646 → de265_decode(de265ctx=0x621000000100, more=0x7fffffffde50)
[#5] 0x4d0364 → main(argc=0x2, argv=0x7fffffffe1b8)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────gef➤  

Impact

Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 2007 of the code. This issue can cause a Denial of Service attack.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions