Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-25221: heap-buffer-overflow in function derive_spatial_luma_vector_prediction at motion.cc:1894 · Issue #388 · strukturag/libde265

Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function in motion.cc.

CVE
#vulnerability#git#auth

Description

heap-buffer-overflow in function derive_spatial_luma_vector_prediction at motion.cc:1894

Version

git log
commit bfb6de155f9fb015d2904cb4ef07809f17995276 (HEAD -> master, origin/master, origin/HEAD)
Author: Dirk Farin <[email protected]>
Date:   Sun Jan 29 12:20:48 2023 +0100

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j


cd dec265
./dec265 ./poc_hbo01.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: non-existing reference picture accessed
WARNING: Too many warnings queued
=================================================================
==3163634==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000ae1c at pc 0x5555557b561f bp 0x7ffffffee780 sp 0x7ffffffee770
READ of size 1 at 0x61b00000ae1c thread T0
    #0 0x5555557b561e in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) /home/fuzz/libde265/libde265/motion.cc:1894
    #1 0x5555557b708b in fill_luma_motion_vector_predictors(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, int, MotionVector*) /home/fuzz/libde265/libde265/motion.cc:1960
    #2 0x5555557b82d3 in luma_motion_vector_prediction(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2033
    #3 0x5555557b92d3 in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) /home/fuzz/libde265/libde265/motion.cc:2119
    #4 0x5555557b982d in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2157
    #5 0x555555683316 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
    #6 0x5555556878c1 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4497
    #7 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
    #8 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
    #9 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
    #10 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
    #11 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
    #12 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
    #13 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
    #14 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
    #15 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
    #16 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
    #17 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
    #18 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
    #19 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
    #20 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)

0x61b00000ae1c is located 20 bytes to the right of 1416-byte region [0x61b00000a880,0x61b00000ae08)
allocated by thread T0 here:
    #0 0x7ffff7692587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x55555558858e in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:633
    #2 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
    #3 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
    #4 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
    #5 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
    #6 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/libde265/libde265/motion.cc:1894 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
Shadow bytes around the buggy address:
  0x0c367fff9570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff95a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff95b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff95c0: 00 fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff95e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff95f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3163634==ABORTING

POC

poc_hbo01.bin

Impact

This vulnerability is capable of crashing software, bypass protection mechanism, modify of memory, and successful exploitation may lead to code execution.

Related news

Gentoo Linux Security Advisory 202408-20

Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.

Ubuntu Security Notice USN-6659-1

Ubuntu Security Notice 6659-1 - It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907