Headline
CVE-2023-47471: SEGV in libde265 in slice_segment_header::dump_slice_segment_header · Issue #426 · strukturag/libde265
Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a local attacker to cause a denial of service via the slice_segment_header function in the slice.cc component.
SEGV in libde265****Description
Libde265 v1.0.12 was discovered to contain a SEGV via the function slice_segment_header::dump_slice_segment_header at slice.cc.
Version****ASAN Log
./dec265/dec265 -c -d -f 153 poc1libde265
AddressSanitizer:DEADLYSIGNAL
==38==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000551716 bp 0x7ffff7ad66a0 sp 0x7fffffff3de0 T0) ==38==The signal is caused by a READ memory access. ==38==Hint: address points to the zero page. #0 0x551716 in slice_segment_header::dump_slice_segment_header(decoder_context const*, int) const /afltest/libde265/libde265/slice.cc:1281:3 #1 0x4db1b1 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /afltest/libde265/libde265/decctx.cc:646:11 #2 0x4e5626 in decoder_context::decode_NAL(NAL_unit*) /afltest/libde265/libde265/decctx.cc:1241:11 #3 0x4e6247 in decoder_context::decode(int*) /afltest/libde265/libde265/decctx.cc:1329:16 #4 0x4cd5c4 in main /afltest/libde265/dec265/dec265.cc:784:17 #5 0x7ffff790d082 in __libc_start_main /build/glibc-BHL3KM/glibc-2.31/csu/…/csu/libc-start.c:308:16 #6 0x41e66d in _start (/afltest/libde265/dec265/dec265+0x41e66d)
AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /afltest/libde265/libde265/slice.cc:1281:3 in slice_segment_header::dump_slice_segment_header(decoder_context const*, int) const ==38==ABORTING
Reproduction
./autogen.sh export CFLAGS="-g -lpthread -fsanitize=address" export CXXFLAGS="-g -lpthread -fsanitize=address" CC=clang CXX=clang++ ./configure --disable-shared make -j 32
./dec265/dec265 -c -d -f 153 poc1libde265
PoC
poc1libde265: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1libde265
Reference
https://github.com/strukturag/libde265
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Credit
Zeng Yunxiang
Song Jiaxuan
Related news
Ubuntu Security Notice 6677-1 - It was discovered that libde265 could be made to dereference invalid memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.