Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49467: heap-buffer-overflow `libde265/libde265/motion.cc:1443` in `derive_combined_bipredictive_merging_candidates` · Issue #434 · strukturag/libde265

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.

CVE
#vulnerability#ubuntu#c++

Description

heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const, slice_segment_header const, PBMotion, int, int)

Version

 dec265  v1.0.14
-----------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Replay

cd libde265
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
make -j

# You need to try running poc several times to see the asan result.
./dec265/dec265 ./poc

ASAN

=================================================================
==3684026==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000000658 at pc 0x5621bef6c512 bp 0x7ffe781d0d70 sp 0x7ffe781d0d60
READ of size 4 at 0x61b000000658 thread T0
    #0 0x5621bef6c511 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int) eva/put/libde265/libde265/motion.cc:1443
    #1 0x5621bef6d403 in get_merge_candidate_list_without_step_9(base_context*, slice_segment_header const*, MotionVectorAccess const&, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1564
    #2 0x5621bef8da6a in derive_luma_motion_merge_mode(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1622
    #3 0x5621bef8da6a in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:2112
    #4 0x5621bef8da6a in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/motion.cc:2195
    #5 0x5621bee53806 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/slice.cc:4145
    #6 0x5621bee5d5ff in read_coding_unit(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4513
    #7 0x5621bee61e7f in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4647
    #8 0x5621bee61df6 in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4644
    #9 0x5621bee64696 in decode_substream(thread_context*, bool, bool) eva/put/libde265/libde265/slice.cc:4750
    #10 0x5621bee6afc9 in read_slice_segment_data(thread_context*) eva/put/libde265/libde265/slice.cc:5063
    #11 0x5621bed2d8b4 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:854
    #12 0x5621bed34e55 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:956
    #13 0x5621bed387eb in decoder_context::decode_some(bool*) eva/put/libde265/libde265/decctx.cc:741
    #14 0x5621bed4a57a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:699
    #15 0x5621bed4c645 in decoder_context::decode_NAL(NAL_unit*) eva/put/libde265/libde265/decctx.cc:1241
    #16 0x5621bed4d508 in decoder_context::decode(int*) eva/put/libde265/libde265/decctx.cc:1329
    #17 0x5621bed0746c in main eva/put/libde265/dec265/dec265.cc:784
    #18 0x7f2636829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #19 0x7f2636829e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #20 0x5621bed09ce4 in _start (eva/asan-bin/NestFuzz/libde265/dec265+0x1ece4)

0x61b000000658 is located 80 bytes to the right of 1416-byte region [0x61b000000080,0x61b000000608)
allocated by thread T0 here:
    #0 0x7f26370b61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x5621bed48f17 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:635

SUMMARY: AddressSanitizer: heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)

POC

poc

Environment

Description:    Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Credit

Yuchuan Meng (Fudan University)

Related news

Ubuntu Security Notice USN-6677-1

Ubuntu Security Notice 6677-1 - It was discovered that libde265 could be made to dereference invalid memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907