Headline
CVE-2023-27102: SEGV:occured in function decoder_context::process_slice_segment_header at decctx.cc:2007:20 · Issue #393 · strukturag/libde265
Libde265 v1.0.11 was discovered to contain a segmentation violation via the function decoder_context::process_slice_segment_header at decctx.cc.
Desctiption
A SEGV has occurred when running program dec265
NULL Pointer Dereference in function decoder_context::process_slice_segment_header at decctx.cc:2007:20
Version
dec265 v1.0.11
git log
commit fef32a7761993702c699dfbe3699e44374eb44b5 (HEAD -> master, origin/master, origin/HEAD)
Merge: 3aea5a45 c2b60f1c
Author: Dirk Farin <[email protected]>
Date: Thu Feb 9 11:13:24 2023 +0100
Steps to reproduce
git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 SEGV-POC
WARNING: non-existing PPS referenced
WARNING: maximum number of reference pictures exceeded
WARNING: maximum number of reference pictures exceeded
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3838968==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e2220 bp 0x7ffc6cbf5fd0 sp 0x7ffc6cbf5ac0 T0)
==3838968==The signal is caused by a READ memory access.
==3838968==Hint: address points to the zero page.
#0 0x4e2220 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:2007:20
#1 0x4e1012 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:649:7
#2 0x4eb7f1 in decoder_context::decode_NAL(NAL_unit*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:1240:11
#3 0x4ec6a1 in decoder_context::decode(int*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:1328:16
#4 0x4d3645 in de265_decode /home/lzy/fuzz/oss/libde265/libde265/de265.cc:367:15
#5 0x4d0363 in main /home/lzy/fuzz/oss/libde265/dec265/dec265.cc:764:17
#6 0x7efcae0bc082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41e5bd in _start (/home/lzy/fuzz/oss/libde265/dec265/dec265+0x41e5bd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:2007:20 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*)
==3838968==ABORTING
POC
https://github.com/blu3sh0rk/Fuzzing-crash/blob/main/SEGV.zip
GDB INFO
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────$rax : 0x0
$rbx : 0x007fffffff3180 → 0x0061b0000f1494 → 0x0000000000000000
$rcx : 0x6f2
$rdx : 0x637
$rsp : 0x007fffffff30e0 → 0x0000000041b58ab3
$rbp : 0x007fffffff35f0 → 0x007fffffff3970 → 0x007fffffff3b30 → 0x007fffffff3ca0 → 0x007fffffff3cd0 → 0x007fffffffe0c0 → 0x0000000000000000
$rsi : 0x600
$rdi : 0x00621000000718 → 0x0000000000000000
$rip : 0x000000004e2220 → <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov al, BYTE PTR [rax]
$r8 : 0x00621000000100 → 0x000000006f97b0 → 0x000000004db200 → <decoder_context::~decoder_context()+0> push rbp
$r9 : 0x007ffff43ff800 → 0xbeddbeddddbeddbe
$r10 : 0x24b
$r11 : 0x240
$r12 : 0x0000000041e590 → <_start+0> endbr64
$r13 : 0x007fffffffe1b0 → 0x0000000000000002
$r14 : 0x200
$r15 : 0x0
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────0x007fffffff30e0│+0x0000: 0x0000000041b58ab3 ← $rsp
0x007fffffff30e8│+0x0008: 0x000000006fac63 → "4 32 16 7 agg.tmp 64 16 9 agg.tmp36 96 16 9 agg.tm[...]"
0x007fffffff30f0│+0x0010: 0x000000004e1eb0 → <decoder_context::process_slice_segment_header(slice_segment_header*,+0> push rbp
0x007fffffff30f8│+0x0018: 0x006290000b4418 → 0xbebebe0000000004
0x007fffffff3100│+0x0020: 0x0061b0000f1534 → 0x0000000000000000
0x007fffffff3108│+0x0028: 0x006290000b649c → 0x00000d00000001 → 0x0000000000000000
0x007fffffff3110│+0x0030: 0x0061b0000f14cc → 0x0000000000000002
0x007fffffff3118│+0x0038: 0x006290000b649c → 0x00000d00000001 → 0x0000000000000000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ──── 0x4e220d <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov rdi, QWORD PTR [rbx+0x320]
0x4e2214 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> call 0x49f990 <__asan_report_load1>
0x4e2219 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov rax, QWORD PTR [rbx+0x320]
→ 0x4e2220 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov al, BYTE PTR [rax]
0x4e2222 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> and al, 0x1
0x4e2224 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> movzx eax, al
0x4e2227 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> cmp eax, 0x0
0x4e222a <decoder_context::process_slice_segment_header(slice_segment_header*,+0> jne 0x4e22aa <decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*)+1018>
0x4e2230 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov ecx, DWORD PTR ds:0x75b760
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:decctx.cc+2007 ──── 2002
2003
2004 // get PPS and SPS for this slice
2005
2006 int pps_id = hdr->slice_pic_parameter_set_id;
// pps_id=0x1
→ 2007 if (pps[pps_id]->pps_read==false) {
2008 logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
2009 assert(false); // TODO
2010 }
2011
2012 current_pps = pps[pps_id];
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────[#0] Id 1, Name: "dec265", stopped 0x4e2220 in decoder_context::process_slice_segment_header (), reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────[#0] 0x4e2220 → decoder_context::process_slice_segment_header(this=0x621000000100, hdr=0x61b0000f1180, err=0x7fffffff3630, pts=0xa000, nal_hdr=0x7fffffff39e0, user_data=0x2)
[#1] 0x4e1013 → decoder_context::read_slice_NAL(this=0x621000000100, reader=@0x7fffffff39a0, nal=0x606000020d20, nal_hdr=@0x7fffffff39e0)
[#2] 0x4eb7f2 → decoder_context::decode_NAL(this=0x621000000100, nal=0x606000020d20)
[#3] 0x4ec6a2 → decoder_context::decode(this=0x621000000100, more=0x7fffffffde50)
[#4] 0x4d3646 → de265_decode(de265ctx=0x621000000100, more=0x7fffffffde50)
[#5] 0x4d0364 → main(argc=0x2, argv=0x7fffffffe1b8)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────gef➤
Impact
Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 2007 of the code. This issue can cause a Denial of Service attack.
Related news
Ubuntu Security Notice USN-6677-1
Ubuntu Security Notice 6677-1 - It was discovered that libde265 could be made to dereference invalid memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.