Headline
CVE-2023-24752: NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:987 · Issue #378 · strukturag/libde265
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
Description
NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:987
Version
git log
commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)
Steps to reproduce
git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 ./poc_segv02.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x561cd0288664 bp 0x000000000008 sp 0x7ffc7e060af0 T0)
==7777==The signal is caused by a READ memory access.
==7777==Hint: address points to the zero page.
#0 0x561cd0288663 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
#1 0x561cd0288663 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /home/fuzz/libde265/libde265/x86/sse-motion.cc:987
#2 0x561cd032c6ab in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
#3 0x561cd032c6ab in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:205
#4 0x561cd0323067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412
#5 0x561cd0323edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141
#6 0x561cd020f601 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
#7 0x561cd02182e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
#8 0x561cd02188b6 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4638
#9 0x561cd021a3db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
#10 0x561cd021d0c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
#11 0x561cd0126487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
#12 0x561cd0129ca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
#13 0x561cd012a934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
#14 0x561cd012e1c7 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
#15 0x561cd012f62c in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
#16 0x561cd0130df5 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
#17 0x561cd00f5f9d in main /home/fuzz/libde265/dec265/dec265.cc:764
#18 0x7f8428229082 in __libc_start_main ../csu/libc-start.c:308
#19 0x561cd00fa0dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 in _mm_loadl_epi64(long long __vector(2) const*)
==7777==ABORTING
POC
poc_segv02.bin
GDB
gdb --args ./dec265 ./poc_segv02.bin
─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
Program received signal SIGSEGV, Segmentation fault.
_mm_loadl_epi64(long long __vector(2) const*) (__P=<optimized out>) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
709 return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x0000555555706650 _mm_loadl_epi64(long long __vector(2) const*)+84 setle %r10b
0x0000555555706654 _mm_loadl_epi64(long long __vector(2) const*)+88 test %dil,%dil
0x0000555555706657 _mm_loadl_epi64(long long __vector(2) const*)+91 setne %r11b
0x000055555570665b _mm_loadl_epi64(long long __vector(2) const*)+95 test %r11b,%r10b
0x000055555570665e _mm_loadl_epi64(long long __vector(2) const*)+98 jne 0x55555570713a <ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+4010>
0x0000555555706664 _mm_loadl_epi64(long long __vector(2) const*)+104 movq 0x0(%rbp),%xmm7
0x0000555555706669 _mm_loadl_epi64(long long __vector(2) const*)+109 mov %r12,%r9
0x000055555570666c _mm_loadl_epi64(long long __vector(2) const*)+112 shr $0x3,%r9
0x0000555555706670 _mm_loadl_epi64(long long __vector(2) const*)+116 cmpw $0x0,0x7fff8000(%r9)
0x0000555555706679 _mm_loadl_epi64(long long __vector(2) const*)+125 punpcklbw %xmm6,%xmm7
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
rax 0x0000000000000001 rbx 0x0000000000000000 rcx 0xffffffffffffffe0 rdx 0x00005555557f0fc0 rsi 0x0000000000000000 rdi 0x0000000000000000 rbp 0x0000000000000008 rsp 0x00007ffffffde7f0
r8 0x0000000000000008 r9 0x0000000000000001 r10 0x0000000000000001 r11 0x0000000000000000 r12 0x00007ffffffe66a0 r13 0x0000000000000000 r14 0x0000000000000008 r15 0x00000aaaaaafe2a1
rip 0x0000555555706664 eflags [ PF ZF IF RF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
704 }
705
706 extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
707 _mm_loadl_epi64 (__m128i_u const *__P)
708 {
709 return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
710 }
711
712 extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
713 _mm_loadu_si64 (void const *__P)
─── Stack ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���────────────────────────────────────────────────────────────────────
[0] from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
[1] from 0x0000555555706664 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+1236 at sse-motion.cc:987
[2] from 0x00005555557aa6ac in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const+182 at ../libde265/acceleration.h:296
[3] from 0x00005555557aa6ac in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+7260 at motion.cc:205
[4] from 0x00005555557a1068 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+26328 at ../libde265/image.h:301
[5] from 0x00005555557a1ede in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+446 at motion.cc:2141
[6] from 0x000055555568d602 in read_coding_unit(thread_context*, int, int, int, int)+8402 at slice.cc:4314
[7] from 0x00005555556962e2 in read_coding_quadtree(thread_context*, int, int, int, int)+2834 at slice.cc:4652
[8] from 0x00005555556968b7 in read_coding_quadtree(thread_context*, int, int, int, int)+4327 at slice.cc:4638
[9] from 0x0000555555697b83 in read_coding_tree_unit(thread_context*)+1587 at slice.cc:2861
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 7781 name dec265 from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg __P = <optimized out>
loc x = 0, y = 0, x1 = <optimized out>, x2 = <optimized out>, src = 0x8 <error: Cannot access memory at address 0x8>: Cannot access memory at address 0x8…
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>>
Impact
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
Related news
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Ubuntu Security Notice 6659-1 - It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.