You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)
Version
dec265 v1.0.14
-----------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).
options:
-q, --quiet do not show decoded image
-t, --threads N set number of worker threads (0 - no threading)
-c, --check-hash perform hash check
-n, --nal input is a stream with 4-byte length prefixed NAL units
-f, --frames N set number of frames to process
-o, --output write YUV reconstruction
-d, --dump dump headers
-0, --noaccel do not use any accelerated code (SSE)
-v, --verbose increase verbosity level (up to 3 times)
-L, --no-logging disable logging
-B, --write-bytestream FILENAME write raw bytestream (from NAL input)
-m, --measure YUV compute PSNRs relative to reference YUV
-T, --highest-TID select highest temporal sublayer to decode
--disable-deblocking disable deblocking filter
--disable-sao disable sample-adaptive offset filter
-h, --help show help
Replay
cd libde265
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
make -j
# You need to try running poc several times to see the asan result.
./dec265/dec265 ./poc
ASAN
=================================================================
==3684026==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000000658 at pc 0x5621bef6c512 bp 0x7ffe781d0d70 sp 0x7ffe781d0d60
READ of size 4 at 0x61b000000658 thread T0
#0 0x5621bef6c511 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int) eva/put/libde265/libde265/motion.cc:1443
#1 0x5621bef6d403 in get_merge_candidate_list_without_step_9(base_context*, slice_segment_header const*, MotionVectorAccess const&, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1564
#2 0x5621bef8da6a in derive_luma_motion_merge_mode(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1622
#3 0x5621bef8da6a in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:2112
#4 0x5621bef8da6a in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/motion.cc:2195
#5 0x5621bee53806 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/slice.cc:4145
#6 0x5621bee5d5ff in read_coding_unit(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4513
#7 0x5621bee61e7f in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4647
#8 0x5621bee61df6 in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4644
#9 0x5621bee64696 in decode_substream(thread_context*, bool, bool) eva/put/libde265/libde265/slice.cc:4750
#10 0x5621bee6afc9 in read_slice_segment_data(thread_context*) eva/put/libde265/libde265/slice.cc:5063
#11 0x5621bed2d8b4 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:854
#12 0x5621bed34e55 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:956
#13 0x5621bed387eb in decoder_context::decode_some(bool*) eva/put/libde265/libde265/decctx.cc:741
#14 0x5621bed4a57a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:699
#15 0x5621bed4c645 in decoder_context::decode_NAL(NAL_unit*) eva/put/libde265/libde265/decctx.cc:1241
#16 0x5621bed4d508 in decoder_context::decode(int*) eva/put/libde265/libde265/decctx.cc:1329
#17 0x5621bed0746c in main eva/put/libde265/dec265/dec265.cc:784
#18 0x7f2636829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#19 0x7f2636829e3f in __libc_start_main_impl ../csu/libc-start.c:392
#20 0x5621bed09ce4 in _start (eva/asan-bin/NestFuzz/libde265/dec265+0x1ece4)
0x61b000000658 is located 80 bytes to the right of 1416-byte region [0x61b000000080,0x61b000000608)
allocated by thread T0 here:
#0 0x7f26370b61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x5621bed48f17 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:635
SUMMARY: AddressSanitizer: heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)
Description
heap-buffer-overflow
eva/put/libde265/libde265/motion.cc:1443
inderive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)
Version
Replay
ASAN
POC
poc
Environment
Credit
Yuchuan Meng (Fudan University)
The text was updated successfully, but these errors were encountered: