Headline
CVE-2021-36408: Heap-use-after-free in intrapred.h when decoding file · Issue #299 · strukturag/libde265
An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.
Hello,
A Heap-use-after-free has occurred when running program dec265
System info:
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0
Dec265 v1.0.8
poc.zip
Verification steps:
1.Get the source code of libde265
2.Compile
cd libde265
mkdir build && cd build
cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
make -j 32
3.run dec265
asan info
=================================================================
==1538158==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000007e04 at pc 0x7efe5f2b9526 bp 0x7ffceaaa13c0 sp 0x7ffceaaa13b0
READ of size 4 at 0x625000007e04 thread T0
#0 0x7efe5f2b9525 in intra_border_computer<unsigned char>::fill_from_image() /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552
#1 0x7efe5f2ba6e9 in void fill_border_samples<unsigned char>(de265_image*, int, int, int, int, unsigned char*) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:260
#2 0x7efe5f2ba6e9 in void decode_intra_prediction_internal<unsigned char>(de265_image*, int, int, IntraPredMode, unsigned char*, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:284
#3 0x7efe5f2a5383 in decode_intra_prediction(de265_image*, int, int, IntraPredMode, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:335
#4 0x7efe5f31dc52 in decode_TU /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3453
#5 0x7efe5f342e76 in read_transform_unit(thread_context*, int, int, int, int, int, int, int, int, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3665
#6 0x7efe5f347191 in read_transform_tree(thread_context*, int, int, int, int, int, int, int, int, int, int, int, PredMode, unsigned char, unsigned char) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3942
#7 0x7efe5f34e119 in read_coding_unit(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4575
#8 0x7efe5f3548f2 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4652
#9 0x7efe5f354357 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4635
#10 0x7efe5f356564 in decode_substream(thread_context*, bool, bool) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4741
#11 0x7efe5f358ddb in read_slice_segment_data(thread_context*) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:5054
#12 0x7efe5f23dd75 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:843
#13 0x7efe5f240c0f in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:945
#14 0x7efe5f241715 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:730
#15 0x7efe5f24695e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
#16 0x55990c1348fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
#17 0x7efe5ed950b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#18 0x55990c13776d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
0x625000007e04 is located 1284 bytes inside of 8600-byte region [0x625000007900,0x625000009a98)
freed by thread T0 here:
#0 0x7efe5f6408df in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.5+0x1108df)
#1 0x7efe5f24b576 in std::_Sp_counted_ptr_inplace<pic_parameter_set, std::allocator<pic_parameter_set>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/9/ext/new_allocator.h:128
#2 0x7efe5f4d996f (/home/dh/sda3/libde265-master/libde265-master/build/libde265/liblibde265.so+0x37d96f)
previously allocated by thread T0 here:
#0 0x7efe5f63f947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
#1 0x7efe5f22cf3f in std::shared_ptr<pic_parameter_set> std::make_shared<pic_parameter_set>() /usr/include/c++/9/ext/new_allocator.h:114
#2 0x7efe5f22cf3f in decoder_context::read_pps_NAL(bitreader&) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:572
#3 0x7efe5b1ff7ff (<unknown module>)
#4 0x614fffffffff (<unknown module>)
SUMMARY: AddressSanitizer: heap-use-after-free /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552 in intra_border_computer<unsigned char>::fill_from_image()
Shadow bytes around the buggy address:
0x0c4a7fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fff8fc0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff9000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff9010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1538158==ABORTING