Headline
CVE-2020-21605: segment fault in apply_sao_internal when decoding file · Issue #234 · strukturag/libde265
libde265 v1.0.4 contains a segmentation fault in the apply_sao_internal function, which can be exploited via a crafted a file.
segment fault in apply_sao_internal when decoding file
I found some problems during fuzzing
Test Version
dev version, git clone https://github.com/strukturag/libde265
Test Environment
root@ubuntu:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
root@ubuntu:# uname -a
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Test Configure
./configure
configure: ---------------------------------------
configure: Building dec265 example: yes
configure: Building sherlock265 example: no
configure: Building encoder: yes
configure: ---------------------------------------
Test Program
dec265 [infile]
Asan Output
root@ubuntu:~# ./dec265 libde265-apply_sao_internal-segment.crash
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: pps header invalid
ASAN:SIGSEGV
=================================================================
==34516==ERROR: AddressSanitizer: SEGV on unknown address 0x62c02b4f5c83 (pc 0x00000045b20d bp 0x7ffc86181280 sp 0x7ffc86180f90 T0)
#0 0x45b20c in void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int) /root/src/libde265/libde265/sao.cc:252
#1 0x45973e in void apply_sao<unsigned char>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned char const*, int, unsigned char*, int) /root/src/libde265/libde265/sao.cc:270
#2 0x457778 in apply_sample_adaptive_offset_sequential(de265_image*) /root/src/libde265/libde265/sao.cc:361
#3 0x413beb in decoder_context::run_postprocessing_filters_sequential(de265_image*) /root/src/libde265/libde265/decctx.cc:1889
#4 0x40b849 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:769
#5 0x40e23e in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1329
#6 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
#7 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
#8 0x7f71b014282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x402b28 in _start (/root/dec265+0x402b28)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/src/libde265/libde265/sao.cc:252 void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int)
==34516==ABORTING
POC file
libde265-apply_sao_internal-segment.zip
password: leon.zhao.7
CREDIT
Zhao Liang, Huawei Weiran Labs
Related news
Gentoo Linux Security Advisory 202408-20 - Multiple vulnerabilities have been discovered in libde265, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.0.11 are affected.
Ubuntu Security Notice 6617-1 - It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Debian Linux Security Advisory 5346-1 - Multiple security issues were discovered in libde265, an implementation of the H.265 video codec which may result in denial of service and potentially the execution of arbitrary code if a malformed media file is processed.