Headline
CVE-2021-36409: There is an Assertion failed at sps.cc · Issue #300 · strukturag/libde265
There is an Assertion `scaling_list_pred_matrix_id_delta==1’ failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.
Hello,
There is an Assertion `scaling_list_pred_matrix_id_delta==1’ failed at sps.cc:925 in libde265 v1.0.8 when decoding file.
System info:
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0
Dec265 v1.0.8
poc (3).zip
Verification steps:
1.Get the source code of libde265
2.Compile
cd libde265
mkdir build && cd build
cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
make -j 16
3.run dec265
Output
WARNING: non-existing PPS referenced
dec265: /home/dh/sda3/libde265-master/libde265-master/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
Aborted(core dumped)
gdb info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: non-existing PPS referenced
dec265-afl++: /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff6c3a680 (0x00007ffff6c3a680)
RCX: 0x7ffff6e0618b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffff1ab0 --> 0x0
RDI: 0x2
RBP: 0x7ffff6f7b588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
RSP: 0x7fffffff1ab0 --> 0x0
RIP: 0x7ffff6e0618b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffff1ab0 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7ffff7538760 ("/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc")
R13: 0x39d
R14: 0x7ffff75388a0 ("scaling_list_pred_matrix_id_delta==1")
R15: 0x0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff6e0617f <__GI_raise+191>: mov edi,0x2
0x7ffff6e06184 <__GI_raise+196>: mov eax,0xe
0x7ffff6e06189 <__GI_raise+201>: syscall
=> 0x7ffff6e0618b <__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108]
0x7ffff6e06193 <__GI_raise+211>: xor rax,QWORD PTR fs:0x28
0x7ffff6e0619c <__GI_raise+220>: jne 0x7ffff6e061c4 <__GI_raise+260>
0x7ffff6e0619e <__GI_raise+222>: mov eax,r8d
0x7ffff6e061a1 <__GI_raise+225>: add rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff1ab0 --> 0x0
0008| 0x7fffffff1ab8 --> 0x7ffff768f6f0 (<free>: endbr64)
0016| 0x7fffffff1ac0 --> 0xe4e4e4e3fbad8000
0024| 0x7fffffff1ac8 --> 0x612000000040 --> 0x612d353606800001
0032| 0x7fffffff1ad0 --> 0x6120000000a5 ("265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.\n")
0040| 0x7fffffff1ad8 --> 0x612000000040 --> 0x612d353606800001
0048| 0x7fffffff1ae0 --> 0x612000000040 --> 0x612d353606800001
0056| 0x7fffffff1ae8 --> 0x61200000013b --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
source code of sps.cc:925
912 if (scaling_list_pred_matrix_id_delta==0) {
913 if (sizeId==0) {
914 memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
915 }
916 else {
917 if (canonicalMatrixId<3)
918 { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
919 else
920 { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
921 }
922 }
923 else {
924 // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
925 if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
926
927 int mID = matrixId - scaling_list_pred_matrix_id_delta;
928
929 int len = (sizeId == 0 ? 16 : 64);
930 memcpy(curr_scaling_list, scaling_list[mID], len);
931
932 scaling_list_dc_coef = dc_coeff[sizeId][mID];
933 dc_coeff[sizeId][matrixId] = dc_coeff[sizeId][mID];
934 }
935 }
Related news
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Ubuntu Security Notice 6627-1 - It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. It was discovered that libde265 did not properly manage memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.