Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-24752: NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:987 · Issue #378 · strukturag/libde265

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

CVE
#vulnerability#linux#dos#git#c++#chrome

Description

NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:987

Version

git log
commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j


cd dec265
./dec265 ./poc_segv02.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x561cd0288664 bp 0x000000000008 sp 0x7ffc7e060af0 T0)
==7777==The signal is caused by a READ memory access.
==7777==Hint: address points to the zero page.
    #0 0x561cd0288663 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
    #1 0x561cd0288663 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /home/fuzz/libde265/libde265/x86/sse-motion.cc:987
    #2 0x561cd032c6ab in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
    #3 0x561cd032c6ab in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:205
    #4 0x561cd0323067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412
    #5 0x561cd0323edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141
    #6 0x561cd020f601 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
    #7 0x561cd02182e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
    #8 0x561cd02188b6 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4638
    #9 0x561cd021a3db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
    #10 0x561cd021d0c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
    #11 0x561cd0126487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
    #12 0x561cd0129ca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
    #13 0x561cd012a934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
    #14 0x561cd012e1c7 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
    #15 0x561cd012f62c in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
    #16 0x561cd0130df5 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
    #17 0x561cd00f5f9d in main /home/fuzz/libde265/dec265/dec265.cc:764
    #18 0x7f8428229082 in __libc_start_main ../csu/libc-start.c:308
    #19 0x561cd00fa0dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 in _mm_loadl_epi64(long long __vector(2) const*)
==7777==ABORTING

POC

poc_segv02.bin

GDB

gdb --args ./dec265 ./poc_segv02.bin

─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)

Program received signal SIGSEGV, Segmentation fault.
_mm_loadl_epi64(long long __vector(2) const*) (__P=<optimized out>) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
709       return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x0000555555706650  _mm_loadl_epi64(long long __vector(2) const*)+84  setle  %r10b
 0x0000555555706654  _mm_loadl_epi64(long long __vector(2) const*)+88  test   %dil,%dil
 0x0000555555706657  _mm_loadl_epi64(long long __vector(2) const*)+91  setne  %r11b
 0x000055555570665b  _mm_loadl_epi64(long long __vector(2) const*)+95  test   %r11b,%r10b
 0x000055555570665e  _mm_loadl_epi64(long long __vector(2) const*)+98  jne    0x55555570713a <ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+4010>
 0x0000555555706664  _mm_loadl_epi64(long long __vector(2) const*)+104 movq   0x0(%rbp),%xmm7
 0x0000555555706669  _mm_loadl_epi64(long long __vector(2) const*)+109 mov    %r12,%r9
 0x000055555570666c  _mm_loadl_epi64(long long __vector(2) const*)+112 shr    $0x3,%r9
 0x0000555555706670  _mm_loadl_epi64(long long __vector(2) const*)+116 cmpw   $0x0,0x7fff8000(%r9)
 0x0000555555706679  _mm_loadl_epi64(long long __vector(2) const*)+125 punpcklbw %xmm6,%xmm7
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     rax 0x0000000000000001        rbx 0x0000000000000000     rcx 0xffffffffffffffe0     rdx 0x00005555557f0fc0     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x0000000000000008     rsp 0x00007ffffffde7f0
      r8 0x0000000000000008         r9 0x0000000000000001     r10 0x0000000000000001     r11 0x0000000000000000     r12 0x00007ffffffe66a0     r13 0x0000000000000000     r14 0x0000000000000008     r15 0x00000aaaaaafe2a1
     rip 0x0000555555706664     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 704  }
 705  
 706  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
 707  _mm_loadl_epi64 (__m128i_u const *__P)
 708  {
 709    return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
 710  }
 711  
 712  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
 713  _mm_loadu_si64 (void const *__P)
─── Stack ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���────────────────────────────────────────────────────────────────────
[0] from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
[1] from 0x0000555555706664 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+1236 at sse-motion.cc:987
[2] from 0x00005555557aa6ac in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const+182 at ../libde265/acceleration.h:296
[3] from 0x00005555557aa6ac in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+7260 at motion.cc:205
[4] from 0x00005555557a1068 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+26328 at ../libde265/image.h:301
[5] from 0x00005555557a1ede in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+446 at motion.cc:2141
[6] from 0x000055555568d602 in read_coding_unit(thread_context*, int, int, int, int)+8402 at slice.cc:4314
[7] from 0x00005555556962e2 in read_coding_quadtree(thread_context*, int, int, int, int)+2834 at slice.cc:4652
[8] from 0x00005555556968b7 in read_coding_quadtree(thread_context*, int, int, int, int)+4327 at slice.cc:4638
[9] from 0x0000555555697b83 in read_coding_tree_unit(thread_context*)+1587 at slice.cc:2861
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 7781 name dec265 from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg __P = <optimized out>
loc x = 0, y = 0, x1 = <optimized out>, x2 = <optimized out>, src = 0x8 <error: Cannot access memory at address 0x8>: Cannot access memory at address 0x8…
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>> 

Impact

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

Related news

Gentoo Linux Security Advisory 202408-20

Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.

Ubuntu Security Notice USN-6659-1

Ubuntu Security Notice 6659-1 - It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907