Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Try to mitigate asan failures. #365

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Try to mitigate asan failures. #365

wants to merge 1 commit into from

Conversation

coldtobi
Copy link

See #345 for my analysis and details…

(This PR is just for discussion.)

(The CVE references are obtained from the Debian security tracker, which links the issues.)

This makes the following POCs stop failing:

Try to mitigate asan failures.
97dd153 
See strukturag#345 for my analysis and details…

(This PR is just for discussion.)

(The CVE references are obtained from the Debian security tracker,
which links the issues.)

This makes the following POCs stop failing:

- poc3 (strukturag#337)
- poc7-1 (strukturag#341) CVE-2022-43239 (note: does NOT fix poc7-2)
- poc8-2, poc8-3, poc8-4 (strukturag#342) CVE-2022-43244   (note: does NOT fix poc8-1)
- poc11-1, poc11-2 (strukturag#345) CVE-2022-43249
- poc12 (strukturag#346)
- poc13 (strukturag#347) CVE-2022-43252
- poc16 (strukturag#350)
@coldtobi coldtobi mentioned this pull request Dec 12, 2022
Closed
coldtobi pushed a commit to coldtobi/libde265 that referenced this pull request Dec 12, 2022
Use the sps from the image
36391cd 
(as e.g mc_chroma is using the sps to determine
picture properties, like pic_width_in_luma_samples
and pic_height_in_luma_samples, I *think* this is
more correct.

This PR is for discussion. (See strukturag#345.)
It makes the failures go away, but that does not mean it's correct :)

The following poc will be stop failing if (only) this
patch is applied:

 - poc2  strukturag#336 - CVE-2022-43238
 - poc4  strukturag#338 - CVE-2022-43241
 - poc6-1, poc6-2 strukturag#340 - CVE-2022-43242
 - poc7-1, poc7-2  strukturag#341 - CVE-2022-43239
 - poc8-1 strukturag#342 - CVE-2022-43244
 - poc9-3 strukturag#343 - CVE-2022-43236
 - poc10-2, poc10-3 strukturag#344 - CVE-2022-43237
 - poc16 strukturag#350
 - poc19 strukturag#353

The following are still failing if only this patch is
applied, but they stop failing if strukturag#365 is applied as well, but will
still fail with ONLY strukturag#365 applied (IOW, both are needed)

 - poc1  strukturag#335 - CVE-2022-43240
 - poc3  strukturag#337 - CVE-2022-43235
 - poc5   strukturag#339 - CVE-2022-43423
 - poc9-1,poc9-2, poc9-4  strukturag#343 - CVE-2022-43236
 - poc14  strukturag#348 - CVE-2022-43253
 - poc15  strukturag#349 - CVE-2022-43248
 - poc17-1, poc17-2  strukturag#351
 - poc18 strukturag#352 - CVE-2022-43245
@coldtobi coldtobi mentioned this pull request Dec 12, 2022
Open
coldtobi pushed a commit to coldtobi/libde265 that referenced this pull request Jan 13, 2023
Don't update sps if they are only repeated
c71d6d9 
This is an attempt to improve the mitigations from strukturag#365 and strukturag#366 and picks up an idea I described at strukturag#345:

> One way would be just to look at the pointers of the SPS (fast and easy, but
> may reject more than required), or investigate if the SPS used for the image
> generations are "compatible".

This changes do exactly this: It (very conservativly) checks if the old and new sps have
identical information -- except the reference picture set, which I believe is supposed
to be updated by new sps'). If they are basically identical, the old sps will be
used instead of the new one, (of course, reference image set is updated from the new one)

I'm using standalone operator== and helper functions to avoid changing ABI of the library;
if an ABI bump would be done, of course this should go to the respective classes.

I've tested the patch with several videos, they still play fine.

@farindk I'd really appreciate to receive your feedback; the reason is that I want
to fix the many open CVE's for the package as it is currently in Debian and other distributions…

--
Cheers,
tobi
coldtobi pushed a commit to coldtobi/libde265 that referenced this pull request Jan 13, 2023
Don't update sps if they are only repeated
51f07f1 
This is an attempt to improve the mitigations from strukturag#365 and strukturag#366 and picks up an idea I described at strukturag#345:

> One way would be just to look at the pointers of the SPS (fast and easy, but
> may reject more than required), or investigate if the SPS used for the image
> generations are "compatible".

This changes do exactly this: It (very conservativly) checks if the old and new sps have
identical information -- except the reference picture set, which I believe is supposed
to be updated by new sps'). If they are basically identical, the old sps will be
used instead of the new one, (of course, reference image set is updated from the new one)

I'm using standalone operator== and helper functions to avoid changing ABI of the library;
if an ABI bump would be done, of course this should go to the respective classes.
@coldtobi coldtobi mentioned this pull request Jan 13, 2023
Open
@coldtobi coldtobi mentioned this pull request Jan 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@coldtobi