Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49468: global-buffer-overflow in read_coding_unit · Issue #432 · strukturag/libde265

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.

CVE
#vulnerability#ubuntu#c++#buffer_overflow

Description

global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)

Version

 dec265  v1.0.14
-----------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Replay

cd libde265
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
make -j
./dec265/dec265 ./poc

ASAN

==1753516==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6e8318665e at pc 0x7f6e83139f09 bp 0x7fffda7f3620 sp 0x7fffda7f3610
READ of size 1 at 0x7f6e8318665e thread T0
    #0 0x7f6e83139f08 in read_coding_unit(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4493
    #1 0x7f6e8313abda in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
    #2 0x7f6e8313b941 in decode_substream(thread_context*, bool, bool) libde265/libde265/slice.cc:4750
    #3 0x7f6e8313d29d in read_slice_segment_data(thread_context*) libde265/libde265/slice.cc:5063
    #4 0x7f6e830ca881 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) libde265/libde265/decctx.cc:854
    #5 0x7f6e830cca4d in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) libde265/libde265/decctx.cc:956
    #6 0x7f6e830ccfe5 in decoder_context::decode_some(bool*) libde265/libde265/decctx.cc:741
    #7 0x7f6e830d4ec2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:699
    #8 0x7f6e830d5a4d in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1241
    #9 0x7f6e830d6308 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1329
    #10 0x55b9a8c5fd26 in main libde265/dec265/dec265.cc:784
    #11 0x7f6e81e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7f6e81e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x55b9a8c60ca4 in _start (libde265/dec265/.libs/dec265+0x5ca4)

0x7f6e8318665e is located 14 bytes to the right of global variable 'ctxIdxMap' defined in 'slice.cc:1964:22' (0x7f6e83186640) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)
Shadow bytes around the buggy address:
  0x0fee50628c70: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 01 f9 f9
  0x0fee50628c80: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 01
  0x0fee50628c90: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
  0x0fee50628ca0: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 00 00 00 02
  0x0fee50628cb0: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
=>0x0fee50628cc0: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9[f9]f9 f9 f9 f9
  0x0fee50628cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1753516==ABORTING

POC

poc

Environment

Description:    Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Credit

Yuchuan Meng (Fudan University)

Related news

Ubuntu Security Notice USN-6677-1

Ubuntu Security Notice 6677-1 - It was discovered that libde265 could be made to dereference invalid memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907