Headline
CVE-2023-25221: heap-buffer-overflow in function derive_spatial_luma_vector_prediction at motion.cc:1894 · Issue #388 · strukturag/libde265
Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function in motion.cc.
Description
heap-buffer-overflow in function derive_spatial_luma_vector_prediction at motion.cc:1894
Version
git log
commit bfb6de155f9fb015d2904cb4ef07809f17995276 (HEAD -> master, origin/master, origin/HEAD)
Author: Dirk Farin <[email protected]>
Date: Sun Jan 29 12:20:48 2023 +0100
Steps to reproduce
git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 ./poc_hbo01.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: Too many warnings queued
=================================================================
==3163634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000ae1c at pc 0x5555557b561f bp 0x7ffffffee780 sp 0x7ffffffee770
READ of size 1 at 0x61b00000ae1c thread T0
#0 0x5555557b561e in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) /home/fuzz/libde265/libde265/motion.cc:1894
#1 0x5555557b708b in fill_luma_motion_vector_predictors(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, int, MotionVector*) /home/fuzz/libde265/libde265/motion.cc:1960
#2 0x5555557b82d3 in luma_motion_vector_prediction(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2033
#3 0x5555557b92d3 in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) /home/fuzz/libde265/libde265/motion.cc:2119
#4 0x5555557b982d in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2157
#5 0x555555683316 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
#6 0x5555556878c1 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4497
#7 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
#8 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
#9 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
#10 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
#11 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
#12 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
#13 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
#14 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
#15 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
#16 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
#17 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
#18 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
#19 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
#20 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)
0x61b00000ae1c is located 20 bytes to the right of 1416-byte region [0x61b00000a880,0x61b00000ae08)
allocated by thread T0 here:
#0 0x7ffff7692587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
#1 0x55555558858e in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:633
#2 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
#3 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
#4 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
#5 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
#6 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/libde265/libde265/motion.cc:1894 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
Shadow bytes around the buggy address:
0x0c367fff9570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff95a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff95b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff95c0: 00 fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3163634==ABORTING
POC
poc_hbo01.bin
Impact
This vulnerability is capable of crashing software, bypass protection mechanism, modify of memory, and successful exploitation may lead to code execution.
Related news
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Ubuntu Security Notice 6659-1 - It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.