Headline
CVE-2023-24758: NULL Pointer Dereference in function ff_hevc_put_weighted_pred_avg_8_sse at sse-motion.cc:254 · Issue #383 · strukturag/libde265
libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.
Description
NULL Pointer Dereference in function ff_hevc_put_weighted_pred_avg_8_sse at sse-motion.cc:254
Version
git log
commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD)
Author: Dirk Farin <[email protected]>
Date: Sat Jan 28 15:03:34 2023 +0100
Steps to reproduce
git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 ./poc_segv06.bin
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3499875==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555570c79d bp 0x7ffffffe28e0 sp 0x7ffffffe24f0 T0)
==3499875==The signal is caused by a WRITE memory access.
==3499875==Hint: address points to the zero page.
#0 0x55555570c79c in _mm_storel_epi64(long long __vector(2)*, long long __vector(2)) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
#1 0x55555570c79c in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int) /home/fuzz/libde265/libde265/x86/sse-motion.cc:254
#2 0x5555557b9c19 in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const ../libde265/acceleration.h:249
#3 0x5555557a1a6a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:544
#4 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155
#5 0x5555556848c0 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
#6 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
#7 0x555555689940 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4635
#8 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
#9 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
#10 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
#11 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
#12 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
#13 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
#14 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
#15 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
#16 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
#17 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
#18 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
#19 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
#20 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733 in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))
==3499875==ABORTING
POC
poc_segv06.bin
GDB
gdb --args ./dec265 ./poc_segv06.bin
─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
Program received signal SIGSEGV, Segmentation fault.
0x000055555570c79d in _mm_storel_epi64(long long __vector(2)*, long long __vector(2)) (__B=..., __P=0x0) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
733 *(__m64_u *)__P = (__m64) ((__v2di)__B)[0];
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
0x000055555570c787 _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+109 je 0x55555570c796 <ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int)+2984>
0x000055555570c789 _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+111 mov $0x8,%esi
0x000055555570c78e _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+116 mov %rdx,%rdi
0x000055555570c791 _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+119 callq 0x555555571040 <__asan_report_store_n@plt>
0x000055555570c796 _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+124 mov -0x358(%rbp),%rdx
0x000055555570c79d _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 mov %r8,(%rdx)
0x000055555570c7a0 _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+134 nop
~
~
~
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
rax 0x000055555581d520 rbx 0x00007ffffffeed40 rcx 0x0000000000000000 rdx 0x0000000000000000 rsi 0x0000000000000007 rdi 0x0000000000000000 rbp 0x00007ffffffe2890 rsp 0x00007ffffffe24a0
r8 0x0000000000000000 r9 0x0000000000000000 r10 0x0000000000000040 r11 0x0000000000000040 r12 0x000055555581d520 r13 0x0000000000000010 r14 0x00000fffffffc550 r15 0x00007ffffffe2a80
rip 0x000055555570c79d eflags [ PF ZF IF RF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
728 }
729
730 extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
731 _mm_storel_epi64 (__m128i_u *__P, __m128i __B)
732 {
733 *(__m64_u *)__P = (__m64) ((__v2di)__B)[0];
734 }
735
736 extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
737 _mm_storeu_si64 (void *__P, __m128i __B)
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x000055555570c79d in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
[1] from 0x000055555570c79d in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int)+2991 at sse-motion.cc:254
[2] from 0x00005555557b9c1a in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const+282 at ../libde265/acceleration.h:249
[3] from 0x00005555557a1a6b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+18639 at motion.cc:544
[4] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155
[5] from 0x00005555556848c1 in read_coding_unit(thread_context*, int, int, int, int)+2148 at slice.cc:4314
[6] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
[7] from 0x0000555555689941 in read_coding_quadtree(thread_context*, int, int, int, int)+2634 at slice.cc:4635
[8] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
[9] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 3508110 name dec265 from 0x000055555570c79d in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg __B = {[0] = 0, [1] = 0}, __P = 0x0: Cannot access memory at address 0x0
loc x = 0, y = 0, dst = 0x0: Cannot access memory at address 0x0, r0 = {[0] = 0, [1] = 0}, r1 = {[0] = 0, [1] = 0}, f0 = {[0] = 18014673391583296, [1] = 18014673391583296}, r2 = {[0] = 0, [1] = 0}, r3 = {[0] = 0, [1] = 0}
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
>>>
Impact
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
Related news
Gentoo Linux Security Advisory 202408-20
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Ubuntu Security Notice USN-6659-1
Ubuntu Security Notice 6659-1 - It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service.