Headline
CVE-2022-1253: Heap-based Buffer Overflow in libde265
Heap-based Buffer Overflow in GitHub repository strukturag/libde265 prior to and including 1.0.8. The fix is established in commit 8e89fe0e175d2870c39486fdd09250b230ec10b8 but does not yet belong to an official release.
Valid
Reported on
May 13th 2021
✍️ Description
heap-buffer-overflow of decctx.cc in function read_sps_NAL
🕵️♂️ Proof of Concept
Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4
$ ./autogen.sh
$ export CFLAGS="-g -lpthread -fsanitize=address"
$ export CXXFLAGS="-g -lpthread -fsanitize=address"
$ CC=clang CXX=clang++ ./configure --disable-shared
$ make -j 32
3.run
$./dec265 poc
💥 Impact
This vulnerability is capable of DDOS or code execution
Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8
@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?
Dirk Farin validated this vulnerability 3 days ago
RouX has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation
Fixed in 8e89fe0e175d2870c39486fdd09250b230ec10b8
@farindk - thanks for the information. Would you be able to approve and confirm the fix using the action buttons in the drop-down section above?
Dirk Farin validated this vulnerability 3 days ago
RouX has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation