libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_16_fallback function, which can be exploited via a crafted a file.

CVE-2020-21606: heap-buffer-overflow in put_epel_16_fallback when decoding file · Issue #232 · strukturag/libde265

libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file.

**global buffer overflow in decode\_CABAC\_bit when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-decode_CABAC_bit-overflow.crash
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    =================================================================
    ==58539==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000054625f at pc 0x0000004fc1cf bp 0x7fffa287c990 sp 0x7fffa287c980
    READ of size 1 at 0x00000054625f thread T0
        #0 0x4fc1ce in decode_CABAC_bit(CABAC_decoder*, context_model*) /root/src/libde265/libde265/cabac.cc:180
        #1 0x46fca1 in decode_cu_skip_flag /root/src/libde265/libde265/slice.cc:1679
        #2 0x4797c7 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4289
        #3 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #4 0x47b53f in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4630
        #5 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #6 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #7 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #8 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #9 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #10 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #11 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #12 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #13 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #14 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #15 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #16 0x7f83f76d982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #17 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x00000054625f is located 31 bytes to the right of global variable 'next_state_MPS' defined in 'cabac.cc:112:22' (0x546200) of size 64
    0x00000054625f is located 1 bytes to the left of global variable 'next_state_LPS' defined in 'cabac.cc:120:22' (0x546260) of size 64
    SUMMARY: AddressSanitizer: global-buffer-overflow /root/src/libde265/libde265/cabac.cc:180 decode_CABAC_bit(CABAC_decoder*, context_model*)
    Shadow bytes around the buggy address:
      0x0000800a0bf0: 00 00 00 01 f9 f9 f9 f9 00 00 00 00 00 02 f9 f9
      0x0000800a0c00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 01 f9 f9 f9
      0x0000800a0c10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
    =>0x0000800a0c40: 00 00 00 00 00 00 00 00 f9 f9 f9[f9]00 00 00 00
      0x0000800a0c50: 00 00 00 00 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
      0x0000800a0c60: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
      0x0000800a0c70: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      0x0000800a0c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==58539==ABORTING
    

**POC file**

libde265-decode\_CABAC\_bit-overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21596: global buffer overflow in decode_CABAC_bit when decoding file · Issue #236 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file.

**heap-buffer-overflow in mc\_chroma when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-mc_chroma-heap_overflow.crash
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: faulty reference picture list
    WARNING: slice segment address invalid
    WARNING: faulty reference picture list
    =================================================================
    ==78714==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001bf10 at pc 0x00000052e002 bp 0x7ffc932b5930 sp 0x7ffc932b5920
    READ of size 2 at 0x61b00001bf10 thread T0
        #0 0x52e001 in void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:244
        #1 0x51f88a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:382
        #2 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #3 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #4 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #5 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #6 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #7 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #8 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #9 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #10 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #11 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #12 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #13 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #14 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #15 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #16 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #17 0x7f97d894282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #18 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x61b00001bf10 is located 0 bytes to the right of 1424-byte region [0x61b00001b980,0x61b00001bf10)
    allocated by thread T0 here:
        #0 0x7f97d9843076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f97d894282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/motion.cc:244 void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int)
    Shadow bytes around the buggy address:
      0x0c367fffb790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c367fffb7e0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fffb7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fffb800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fffb810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==78714==ABORTING
    

**POC file**

libde265-mc\_chroma-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21597: heap-buffer-overflow in mc_chroma when decoding file · Issue #238 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl_epi64 function, which can be exploited via a crafted a file.

**heap-buffer-overflow in decode file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# /opt/asan/bin/dec265 libde265-mm_loadl_epi64-heap_overflow.crash
    WARNING: maximum number of reference pictures exceeded
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: coded parameter out of range
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: maximum number of reference pictures exceeded
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: faulty reference picture list
    =================================================================
    ==129719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000068560 at pc 0x0000004d0359 bp 0x7ffe48aefc20 sp 0x7ffe48aefc10
    READ of size 8 at 0x62b000068560 thread T0
        #0 0x4d0358 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/5/include/emmintrin.h:704
        #1 0x4d0358 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /root/src/libde265/libde265/x86/sse-motion.cc:987
        #2 0x52bf76 in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
        #3 0x52dc7a in void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:205
        #4 0x51f88a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:382
        #5 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #6 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #7 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #8 0x47b611 in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4636
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7f56cd48d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/opt/asan/bin/dec265+0x402b28)
    
    0x62b000068560 is located 80 bytes to the right of 25360-byte region [0x62b000062200,0x62b000068510)
    allocated by thread T0 here:
        #0 0x7f56ce38e076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f56cd48d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/5/include/emmintrin.h:704 _mm_loadl_epi64(long long __vector(2) const*)
    Shadow bytes around the buggy address:
      0x0c5680005050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c56800050a0: 00 00 fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
      0x0c56800050b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==129719==ABORTING
    

**POC file**

libde265-mm\_loadl\_epi64-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21604: heap-buffer-overflow in decode file · Issue #231 · strukturag/libde265

fig2dev 3.2.7b contains a global buffer overflow in the conv_pattern_index function in gencgm.c.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-12

Private: No

Hi  
I found a global-buffer-overflow in conv\_pattern\_index() at gencgm.c:533  
Please run following command to reproduce it,

Here's log

An open polygon at line 31 \- close it.
\=================================================================
\==27666\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x55d8bbafa358 at pc 0x55d8bb7759da bp 0x7ffd22f17220 sp 0x7ffd22f17210
READ of size 4 at 0x55d8bbafa358 thread T0
    #0 0x55d8bb7759d9 in conv\_pattern\_index fig2dev\-3.2.7b/fig2dev/dev/gencgm.c:533
    #1 0x55d8bb775a20 in hatchindex fig2dev\-3.2.7b/fig2dev/dev/gencgm.c:543
    #2 0x55d8bb776d1d in shape fig2dev\-3.2.7b/fig2dev/dev/gencgm.c:638
    #3 0x55d8bb77cbc4 in gencgm\_line fig2dev\-3.2.7b/fig2dev/dev/gencgm.c:1044
    #4 0x55d8bb75aa3f in gendev\_objects fig2dev\-3.2.7b/fig2dev/fig2dev.c:1003
    #5 0x55d8bb7592bf in main fig2dev\-3.2.7b/fig2dev/fig2dev.c:480
    #6 0x7fe59b3a7b96 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x21b96)
    #7 0x55d8bb749979 in \_start (fig2dev\-3.2.7b+0x6e979)

0x55d8bbafa358 is located 0 bytes to the right of global variable 'map\_pattern' defined in 'gencgm.c:138:5' (0x55d8bbafa300) of size 88
0x55d8bbafa358 is located 40 bytes to the left of global variable 'oldfillcolor' defined in 'gencgm.c:490:12' (0x55d8bbafa380) of size 4
SUMMARY: AddressSanitizer: global\-buffer\-overflow fig2dev\-3.2.7b/fig2dev/dev/gencgm.c:533 in conv\_pattern\_index
Shadow bytes around the buggy address:
  0x0abb97757410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0abb97757450: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
\=>0x0abb97757460: 00 00 00 00 00 00 00 00 00 00 00\[f9\]f9 f9 f9 f9
  0x0abb97757470: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb97757480: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb97757490: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb977574a0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0abb977574b0: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==27666\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21531: Xfig / Tickets / #63 global-buffer-overflow in conv_pattern_index() function

fig2dev 3.2.7b contains a global buffer overflow in the setfigfont function in genepic.c.

*   Summary
*   Files
*   Reviews
*   Support
*   Tickets
*   Discussion
*   Git ▾
    *   fig2dev
    *   xfig

Menu ▾ ▴

Status: closed

Owner: nobody

Labels: None

Updated: 2020-12-21

Created: 2019-12-12

Private: No

Hi  
I found a global-buffer-overflow in setfigfont() function at genepic.c:1239  
Please run following command to reproduce it,

Here's log

\=================================================================
\==16081\==ERROR: AddressSanitizer: global\-buffer\-overflow on address 0x55aa8f20b5f8 at pc 0x55aa8ee6a136 bp 0x7ffd722c0050 sp 0x7ffd722c0040
READ of size 8 at 0x55aa8f20b5f8 thread T0
    #0 0x55aa8ee6a135 in setfigfont fig2dev\-3.2.7b/fig2dev/dev/genepic.c:1239
    #1 0x55aa8ee6a9f5 in genepic\_text fig2dev\-3.2.7b/fig2dev/dev/genepic.c:1312
    #2 0x55aa8ee1ea3f in gendev\_objects fig2dev\-3.2.7b/fig2dev/fig2dev.c:1003
    #3 0x55aa8ee1d2bf in main fig2dev\-3.2.7b/fig2dev/fig2dev.c:480
    #4 0x7f1a35038b96 in \_\_libc\_start\_main (/lib/x86\_64\-linux\-gnu/libc.so.6+0x21b96)
    #5 0x55aa8ee0d979 in \_start (fig2dev\-3.2.7b+0x6e979)

0x55aa8f20b5f8 is located 40 bytes to the right of global variable 'texfontseries' defined in 'texfonts.c:36:13' (0x55aa8f20b5a0) of size 48
0x55aa8f20b5f8 is located 8 bytes to the left of global variable 'texfontshape' defined in 'texfonts.c:45:13' (0x55aa8f20b600) of size 48
SUMMARY: AddressSanitizer: global\-buffer\-overflow fig2dev\-3.2.7b/fig2dev/dev/genepic.c:1239 in setfigfont
Shadow bytes around the buggy address:
  0x0ab5d1e39660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab5d1e39670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab5d1e39680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab5d1e39690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab5d1e396a0: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
\=>0x0ab5d1e396b0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9\[f9\]
  0x0ab5d1e396c0: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ab5d1e396d0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ab5d1e396e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab5d1e396f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab5d1e39700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==16081\==ABORTING

fig2dev Version 3.2.7b  
I also tested this in git Commit \[3065ab\] and can reproduce it.

**1 Attachments**

**Related**

Commit: \[3065ab\]  

**Discussion**

Log in to post a comment.

CVE-2020-21532: Xfig / Tickets / #64 global-buffer-overflow in setfigfont() function

fig2dev 3.2.7b contains a stack buffer overflow in the bezier_spline function in genepic.c.

CVE-2020-21529: Xfig / Tickets / #65 stack-overflow in bezier_spline function

vim is vulnerable to Heap-based Buffer Overflow

Browse files

patch 8.2.3409: reading beyond end of line with invalid utf-8 character

Problem:    Reading beyond end of line with invalid utf-8 character.
Solution:   Check for NUL when advancing.

*   Loading branch information

brammool committed

Sep 7, 2021

1 parent ddfc051 commit 65b605665997fad54ef39a93199e305af2fe4d7f

CVE-2021-3778: patch 8.2.3409: reading beyond end of line with invalid utf-8 character · vim/vim@65b6056

Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c.

Our fuzzer detected several crashes when converting gif file against 2df6437 (compiled with Address Sanitizer). The command to trigger that is img2sixel $POC -o /tmp/test.six where $POC can be:  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_1.gif  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_2.gif

gdb output is like:

    GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
    Copyright (C) 2018 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from /home/hongxu/FOT/libsixel/install/bin/img2sixel...done.
    Starting program: /home/hongxu/FOT/libsixel/install/bin/img2sixel hbo_fromgif.c:310_1.gif -o /tmp/test.six
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    =================================================================
    ==17533==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa7d8 at pc 0x7ffff7b5f160 bp 0x7fffffff5950 sp 0x7fffffff5948
    WRITE of size 2 at 0x7fffffffa7d8 thread T0
        #0 0x7ffff7b5f15f in gif_process_raster /home/hongxu/FOT/libsixel/src/fromgif.c:310:31
        #1 0x7ffff7b5c303 in gif_load_next /home/hongxu/FOT/libsixel/src/fromgif.c:462:22
        #2 0x7ffff7b5a25e in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:599:22
        #3 0x7ffff7b11198 in load_with_builtin /home/hongxu/FOT/libsixel/src/loader.c:858:18
        #4 0x7ffff7b10116 in sixel_helper_load_image_file /home/hongxu/FOT/libsixel/src/loader.c:1352:18
        #5 0x7ffff7b69d98 in sixel_encoder_encode /home/hongxu/FOT/libsixel/src/encoder.c:1737:14
        #6 0x515787 in main /home/hongxu/FOT/libsixel/converters/img2sixel.c:457:22
        #7 0x7ffff61a6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
        #8 0x41a239 in _start (/home/hongxu/FOT/libsixel/install/bin/img2sixel+0x41a239)
    
    Address 0x7fffffffa7d8 is located in stack of thread T0 at offset 18296 in frame
        #0 0x7ffff7b5999f in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:555
    
      This frame has 4 object(s):
        [32, 208) 's' (line 556)
        [272, 18296) 'g' (line 557) <== Memory access at offset 18296 overflows this variable
        [18560, 18568) 'frame' (line 559)
        [18592, 18600) 'fnp' (line 560)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hongxu/FOT/libsixel/src/fromgif.c:310:31 in gif_process_raster
    Shadow bytes around the buggy address:
      0x10007fff74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff74f0: 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2
      0x10007fff7500: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff7510: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
      0x10007fff7520: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==17533==ABORTING
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff61c5801 in __GI_abort () at abort.c:79
    #2  0x000000000050376b in __sanitizer::Abort() ()
    #3  0x0000000000500a98 in __sanitizer::Die() ()
    #4  0x00000000004e2d1d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
    #5  0x00000000004e374b in __asan_report_store2 ()
    #6  0x00007ffff7b5f160 in gif_process_raster (s=0x7fffffff6080, g=0x7fffffff6170) at fromgif.c:310
    #7  0x00007ffff7b5c304 in gif_load_next (s=0x7fffffff6080, g=0x7fffffff6170, bgcolor=0x0) at fromgif.c:462
    #8  0x00007ffff7b5a25f in load_gif (buffer=0x62d000000400 "GIF89a\f", size=0xca, bgcolor=0x0, reqcolors=0x100, fuse_palette=0x1, fstatic=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040, allocator=0x604000000190) at fromgif.c:599
    #9  0x00007ffff7b11199 in load_with_builtin (pchunk=0x603000000e20, fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040) at loader.c:858
    #10 0x00007ffff7b10117 in sixel_helper_load_image_file (filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif", fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, finsecure=0x0, cancel_flag=0x13b61c0 <signaled>, context=0x610000000040, allocator=0x604000000190) at loader.c:1352
    #11 0x00007ffff7b69d99 in sixel_encoder_encode (encoder=0x610000000040, filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif") at encoder.c:1737
    #12 0x0000000000515788 in main (argc=0x4, argv=0x7fffffffc488) at img2sixel.c:457

CVE-2020-21050: AddressSanitizer: stack-buffer-overflow at fromgif.c:310 · Issue #75 · saitoha/libsixel

Multiple camera devices by UDP Technology, GeutebrÃ¼ck and other vendors allow unauthenticated remote access to sensitive files due to default user authentication settings. This can lead to manipulation of the device and denial of service.

Tag

#buffer_overflow