Headline
CVE-2022-47655: Another stack-buffer-overflow in function void put_qpel_fallback<unsigned short> · Issue #367 · strukturag/libde265
Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_qpel_fallback<unsigned short>
Description
stack-buffer-overflow (libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
Version info
dec265 v1.0.9
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).
options:
-q, --quiet do not show decoded image
-t, --threads N set number of worker threads (0 - no threading)
-c, --check-hash perform hash check
-n, --nal input is a stream with 4-byte length prefixed NAL units
-f, --frames N set number of frames to process
-o, --output write YUV reconstruction
-d, --dump dump headers
-0, --noaccel do not use any accelerated code (SSE)
-v, --verbose increase verbosity level (up to 3 times)
-L, --no-logging disable logging
-B, --write-bytestream FILENAME write raw bytestream (from NAL input)
-m, --measure YUV compute PSNRs relative to reference YUV
-T, --highest-TID select highest temporal sublayer to decode
--disable-deblocking disable deblocking filter
--disable-sao disable sample-adaptive offset filter
-h, --help show help
Reproduce
git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc.bin
ASAN
WARNING: coded parameter out of range
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
=================================================================
==3829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea52d35f at pc 0x7f8966bd5305 bp 0x7fffea52ac00 sp 0x7fffea52abf0
READ of size 2 at 0x7fffea52d35f thread T0
#0 0x7f8966bd5304 in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304)
#1 0x7f8966bd08c2 in put_qpel_1_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1788c2)
#2 0x7f8966c0152e in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a952e)
#3 0x7f8966c02c0f in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aac0f)
#4 0x7f8966bf3a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
#5 0x7f8966c00a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
#6 0x7f8966c3dd2a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e5d2a)
#7 0x7f8966c3f774 in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e7774)
#8 0x7f8966c40762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
#9 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
#10 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
#11 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
#12 0x7f8966c37d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
#13 0x7f8966c40f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
#14 0x7f8966c42c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
#15 0x7f8966b95e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
#16 0x7f8966b96673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
#17 0x7f8966b95311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
#18 0x7f8966b9505b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
#19 0x7f8966b97be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
#20 0x7f8966b9824c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
#21 0x7f8966b7e3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
#22 0x562ac9c989a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
#23 0x7f8966526d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#24 0x7f8966526e3f in __libc_start_main_impl ../csu/libc-start.c:392
#25 0x562ac9c967c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)
Address 0x7fffea52d35f is located in stack of thread T0 at offset 9391 in frame
#0 0x7f8966c02203 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa203)
This frame has 2 object(s):
[48, 9136) 'mcbuffer' (line 71)
[9392, 15072) 'padbuf' (line 129) <== Memory access at offset 9391 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
Shadow bytes around the buggy address:
0x10007d49da10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007d49da20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007d49da30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007d49da40: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
0x10007d49da50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x10007d49da60: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
0x10007d49da70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007d49da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007d49da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007d49daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007d49dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3829==ABORTING
POC
poc.zip
Impact
Potentially causing DoS and RCE
Credit
Xdchase
Related news
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.