Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_weighted_pred_avg_16_fallback in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

**Description**

Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x146253) in put\_weighted\_pred\_avg\_16\_fallback(unsigned short\*, long, short const\*, short const\*, long, int, int, int)

**Version**

$ ./dec265 -h
 dec265  v1.0.8
--------------
usage: dec265 \[options\] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

**Replay**

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE\_CXX\_FLAGS="\-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc15

**ASAN**

WARNING: end\_of\_sub\_stream\_one\_bit not set to 1 when it should be
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==30172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000006640 at pc 0x7fb8cba21254 bp 0x7ffcffdbd540 sp 0x7ffcffdbd530
WRITE of size 2 at 0x62b000006640 thread T0
    #0 0x7fb8cba21253 in put\_weighted\_pred\_avg\_16\_fallback(unsigned short\*, long, short const\*, short const\*, long, int, int, int) (/libde265/build/libde265/liblibde265.so+0x146253)
    #1 0x7fb8cba51c1a in acceleration\_functions::put\_weighted\_pred\_avg(void\*, long, short const\*, short const\*, long, int, int, int) const (/libde265/build/libde265/liblibde265.so+0x176c1a)
    #2 0x7fb8cba45bb9 in generate\_inter\_prediction\_samples(base\_context\*, slice\_segment\_header const\*, de265\_image\*, int, int, int, int, int, int, int, PBMotion const\*) (/libde265/build/libde265/liblibde265.so+0x16abb9)
    #3 0x7fb8cba5190f in decode\_prediction\_unit(base\_context\*, slice\_segment\_header const\*, de265\_image\*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x17690f)
    #4 0x7fb8cba8c7e3 in read\_prediction\_unit(thread\_context\*, int, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b17e3)
    #5 0x7fb8cba8e39a in read\_coding\_unit(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b339a)
    #6 0x7fb8cba8f250 in read\_coding\_quadtree(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4250)
    #7 0x7fb8cba86726 in read\_coding\_tree\_unit(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1ab726)
    #8 0x7fb8cba8f9ea in decode\_substream(thread\_context\*, bool, bool) (/libde265/build/libde265/liblibde265.so+0x1b49ea)
    #9 0x7fb8cba9170f in read\_slice\_segment\_data(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1b670f)
    #10 0x7fb8cb9f06d2 in decoder\_context::decode\_slice\_unit\_sequential(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x1156d2)
    #11 0x7fb8cb9f0ec1 in decoder\_context::decode\_slice\_unit\_parallel(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x115ec1)
    #12 0x7fb8cb9efc0f in decoder\_context::decode\_some(bool\*) (/libde265/build/libde265/liblibde265.so+0x114c0f)
    #13 0x7fb8cb9ef93d in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) (/libde265/build/libde265/liblibde265.so+0x11493d)
    #14 0x7fb8cb9f243e in decoder\_context::decode\_NAL(NAL\_unit\*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #15 0x7fb8cb9f2ab3 in decoder\_context::decode(int\*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #16 0x7fb8cb9d9e95 in de265\_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #17 0x55b3545cdbc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #18 0x7fb8cb50bc86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)
    #19 0x55b3545cb9b9 in \_start (/libde265/build/dec265/dec265+0x49b9)

0x62b000006640 is located 48 bytes to the right of 25616-byte region \[0x62b000000200,0x62b000006610)
allocated by thread T0 here:
    #0 0x7fb8cbf02790 in posix\_memalign (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdf790)
    #1 0x7fb8cba2b1cb in ALLOC\_ALIGNED(unsigned long, unsigned long) (/libde265/build/libde265/liblibde265.so+0x1501cb)
    #2 0x7fb8cba2b92a in de265\_image\_get\_buffer(void\*, de265\_image\_spec\*, de265\_image\*, void\*) (/libde265/build/libde265/liblibde265.so+0x15092a)
    #3 0x7fb8cba2dd1a in de265\_image::alloc\_image(int, int, de265\_chroma, std::shared\_ptr<seq\_parameter\_set const>, bool, decoder\_context\*, long, void\*, bool) (/libde265/build/libde265/liblibde265.so+0x152d1a)
    #4 0x7fb8cba120cc in decoded\_picture\_buffer::new\_image(std::shared\_ptr<seq\_parameter\_set const>, decoder\_context\*, long, void\*, bool) (/libde265/build/libde265/liblibde265.so+0x1370cc)
    #5 0x7fb8cb9f93ff in decoder\_context::process\_slice\_segment\_header(slice\_segment\_header\*, de265\_error\*, long, nal\_header\*, void\*) (/libde265/build/libde265/liblibde265.so+0x11e3ff)
    #6 0x7fb8cb9ef246 in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) (/libde265/build/libde265/liblibde265.so+0x114246)
    #7 0x7fb8cb9f243e in decoder\_context::decode\_NAL(NAL\_unit\*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #8 0x7fb8cb9f2ab3 in decoder\_context::decode(int\*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #9 0x7fb8cb9d9e95 in de265\_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #10 0x55b3545cdbc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #11 0x7fb8cb50bc86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x146253) in put\_weighted\_pred\_avg\_16\_fallback(unsigned short\*, long, short const\*, short const\*, long, int, int, int)
Shadow bytes around the buggy address:
  0x0c567fff8c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fff8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c567fff8cc0: 00 00 fa fa fa fa fa fa\[fa\]fa fa fa fa fa fa fa
  0x0c567fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==30172\==ABORTING

**POC**

https://github.com/FDU-Sec/poc/blob/main/libde265/poc15

**Environment**

Ubuntu 18.04.5 LTS
Clang 10.0.1
gcc 7.5.0

**Credit**

Peng Deng (Fudan University)

CVE-2022-43248: Heap-buffer-overflow in fallback-motion.cc: put_weighted_pred_avg_16_fallback · Issue #349 · strukturag/libde265

Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vulnerability via void put_epel_hv_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

**Description**

Stack-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x148bb1) in void put\_epel\_hv\_fallback(short\*, long, unsigned short const\*, long, int, int, int, int, short\*, int)

**Version**

$ ./dec265 -h
 dec265  v1.0.8
--------------
usage: dec265 \[options\] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

**Replay**

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE\_CXX\_FLAGS="\-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc10-1
./dec265/dec265 poc10-2
./dec265/dec265 poc10-3

**ASAN**

WARNING: end\_of\_sub\_stream\_one\_bit not set to 1 when it should be
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==49284==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd5d1376e1 at pc 0x7fc6e4cc7bb2 bp 0x7ffd5d134ea0 sp 0x7ffd5d134e90
READ of size 2 at 0x7ffd5d1376e1 thread T0
    #0 0x7fc6e4cc7bb1 in void put\_epel\_hv\_fallback<unsigned short>(short\*, long, unsigned short const\*, long, int, int, int, int, short\*, int) (/libde265/build/libde265/liblibde265.so+0x148bb1)
    #1 0x7fc6e4cf60de in acceleration\_functions::put\_hevc\_epel\_h(short\*, long, void const\*, long, int, int, int, int, short\*, int) const (/libde265/build/libde265/liblibde265.so+0x1770de)
    #2 0x7fc6e4cf8ca2 in void mc\_chroma<unsigned char>(base\_context const\*, seq\_parameter\_set const\*, int, int, int, int, short\*, int, unsigned char const\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x179ca2)
    #3 0x7fc6e4ce8e2e in generate\_inter\_prediction\_samples(base\_context\*, slice\_segment\_header const\*, de265\_image\*, int, int, int, int, int, int, int, PBMotion const\*) (/libde265/build/libde265/liblibde265.so+0x169e2e)
    #4 0x7fc6e4cf590f in decode\_prediction\_unit(base\_context\*, slice\_segment\_header const\*, de265\_image\*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x17690f)
    #5 0x7fc6e4d307e3 in read\_prediction\_unit(thread\_context\*, int, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b17e3)
    #6 0x7fc6e4d32469 in read\_coding\_unit(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b3469)
    #7 0x7fc6e4d33250 in read\_coding\_quadtree(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4250)
    #8 0x7fc6e4d2a726 in read\_coding\_tree\_unit(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1ab726)
    #9 0x7fc6e4d339ea in decode\_substream(thread\_context\*, bool, bool) (/libde265/build/libde265/liblibde265.so+0x1b49ea)
    #10 0x7fc6e4d3570f in read\_slice\_segment\_data(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1b670f)
    #11 0x7fc6e4c946d2 in decoder\_context::decode\_slice\_unit\_sequential(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x1156d2)
    #12 0x7fc6e4c94ec1 in decoder\_context::decode\_slice\_unit\_parallel(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x115ec1)
    #13 0x7fc6e4c93c0f in decoder\_context::decode\_some(bool\*) (/libde265/build/libde265/liblibde265.so+0x114c0f)
    #14 0x7fc6e4c9393d in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) (/libde265/build/libde265/liblibde265.so+0x11493d)
    #15 0x7fc6e4c9643e in decoder\_context::decode\_NAL(NAL\_unit\*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #16 0x7fc6e4c96ab3 in decoder\_context::decode(int\*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #17 0x7fc6e4c7de95 in de265\_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #18 0x56089bc03bc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #19 0x7fc6e47afc86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)
    #20 0x56089bc019b9 in \_start (/libde265/build/dec265/dec265+0x49b9)

Address 0x7ffd5d1376e1 is located in stack of thread T0 at offset 9121 in frame
    #0 0x7fc6e4cf83b8 in void mc\_chroma<unsigned char>(base\_context const\*, seq\_parameter\_set const\*, int, int, int, int, short\*, int, unsigned char const\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1793b8)

  This frame has 2 object(s):
    \[32, 9120) 'mcbuffer' <== Memory access at offset 9121 overflows this variable
    \[9152, 14512) 'padbuf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x148bb1) in void put\_epel\_hv\_fallback<unsigned short\>(short\*, long, unsigned short const\*, long, int, int, int, int, short\*, int)
Shadow bytes around the buggy address:
  0x10002ba1ee80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=\>0x10002ba1eed0: 00 00 00 00 00 00 00 00 00 00 00 00\[f2\]f2 f2 f2
  0x10002ba1eee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10002ba1ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==49284==ABORTING

**POC**

https://github.com/FDU-Sec/poc/blob/main/libde265/poc10-1  
https://github.com/FDU-Sec/poc/blob/main/libde265/poc10-2  
https://github.com/FDU-Sec/poc/blob/main/libde265/poc10-3

**Environment**

Ubuntu 16.04
Clang 10.0.1
gcc 5.5

**Credit**

Peng Deng (Fudan University)

CVE-2022-43237: Stack-buffer-overflow in fallback-motion.cc: void put_epel_hv_fallback<unsigned short> · Issue #344 · strukturag/libde265

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_epel_hv_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

**Description**

Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x148fda) in void put\_epel\_hv\_fallback(short\*, long, unsigned short const\*, long, int, int, int, int, short\*, int)

**Version**

$ ./dec265 -h
 dec265  v1.0.8
--------------
usage: dec265 \[options\] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

**Replay**

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE\_CXX\_FLAGS="\-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc11-1
./dec265/dec265 poc11-2

**ASAN**

WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==61372==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00002951c at pc 0x7f3e99904fdb bp 0x7ffe34d063b0 sp 0x7ffe34d063a0
READ of size 2 at 0x62b00002951c thread T0
    #0 0x7f3e99904fda in void put\_epel\_hv\_fallback<unsigned short>(short\*, long, unsigned short const\*, long, int, int, int, int, short\*, int) (/libde265/build/libde265/liblibde265.so+0x148fda)
    #1 0x7f3e999332ca in acceleration\_functions::put\_hevc\_epel\_hv(short\*, long, void const\*, long, int, int, int, int, short\*, int) const (/libde265/build/libde265/liblibde265.so+0x1772ca)
    #2 0x7f3e99935213 in void mc\_chroma<unsigned short>(base\_context const\*, seq\_parameter\_set const\*, int, int, int, int, short\*, int, unsigned short const\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x179213)
    #3 0x7f3e99925b2d in generate\_inter\_prediction\_samples(base\_context\*, slice\_segment\_header const\*, de265\_image\*, int, int, int, int, int, int, int, PBMotion const\*) (/libde265/build/libde265/liblibde265.so+0x169b2d)
    #4 0x7f3e9993290f in decode\_prediction\_unit(base\_context\*, slice\_segment\_header const\*, de265\_image\*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x17690f)
    #5 0x7f3e9996d7e3 in read\_prediction\_unit(thread\_context\*, int, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b17e3)
    #6 0x7f3e9996f39a in read\_coding\_unit(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b339a)
    #7 0x7f3e99970250 in read\_coding\_quadtree(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4250)
    #8 0x7f3e99970091 in read\_coding\_quadtree(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4091)
    #9 0x7f3e99967726 in read\_coding\_tree\_unit(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1ab726)
    #10 0x7f3e999709ea in decode\_substream(thread\_context\*, bool, bool) (/libde265/build/libde265/liblibde265.so+0x1b49ea)
    #11 0x7f3e9997270f in read\_slice\_segment\_data(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1b670f)
    #12 0x7f3e998d16d2 in decoder\_context::decode\_slice\_unit\_sequential(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x1156d2)
    #13 0x7f3e998d1ec1 in decoder\_context::decode\_slice\_unit\_parallel(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x115ec1)
    #14 0x7f3e998d0c0f in decoder\_context::decode\_some(bool\*) (/libde265/build/libde265/liblibde265.so+0x114c0f)
    #15 0x7f3e998d093d in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) (/libde265/build/libde265/liblibde265.so+0x11493d)
    #16 0x7f3e998d343e in decoder\_context::decode\_NAL(NAL\_unit\*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #17 0x7f3e998d3ab3 in decoder\_context::decode(int\*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #18 0x7f3e998bae95 in de265\_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #19 0x55a40ac18bc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #20 0x7f3e993ecc86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)
    #21 0x55a40ac169b9 in \_start (/libde265/build/dec265/dec265+0x49b9)

0x62b00002951c is located 12 bytes to the right of 25360-byte region \[0x62b000023200,0x62b000029510)
allocated by thread T0 here:
    #0 0x7f3e99de3790 in posix\_memalign (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdf790)
    #1 0x7f3e9990c1cb in ALLOC\_ALIGNED(unsigned long, unsigned long) (/libde265/build/libde265/liblibde265.so+0x1501cb)
    #2 0x7f3e9990c99d in de265\_image\_get\_buffer(void\*, de265\_image\_spec\*, de265\_image\*, void\*) (/libde265/build/libde265/liblibde265.so+0x15099d)
    #3 0x7f3e9990ed1a in de265\_image::alloc\_image(int, int, de265\_chroma, std::shared\_ptr<seq\_parameter\_set const>, bool, decoder\_context\*, long, void\*, bool) (/libde265/build/libde265/liblibde265.so+0x152d1a)
    #4 0x7f3e998f30cc in decoded\_picture\_buffer::new\_image(std::shared\_ptr<seq\_parameter\_set const>, decoder\_context\*, long, void\*, bool) (/libde265/build/libde265/liblibde265.so+0x1370cc)
    #5 0x7f3e998d4824 in decoder\_context::generate\_unavailable\_reference\_picture(seq\_parameter\_set const\*, int, bool) (/libde265/build/libde265/liblibde265.so+0x118824)
    #6 0x7f3e998d7332 in decoder\_context::process\_reference\_picture\_set(slice\_segment\_header\*) (/libde265/build/libde265/liblibde265.so+0x11b332)
    #7 0x7f3e998dad70 in decoder\_context::process\_slice\_segment\_header(slice\_segment\_header\*, de265\_error\*, long, nal\_header\*, void\*) (/libde265/build/libde265/liblibde265.so+0x11ed70)
    #8 0x7f3e998d0246 in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) (/libde265/build/libde265/liblibde265.so+0x114246)
    #9 0x7f3e998d343e in decoder\_context::decode\_NAL(NAL\_unit\*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #10 0x7f3e998d3ab3 in decoder\_context::decode(int\*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #11 0x7f3e998bae95 in de265\_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #12 0x55a40ac18bc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #13 0x7f3e993ecc86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x148fda) in void put\_epel\_hv\_fallback<unsigned short\>(short\*, long, unsigned short const\*, long, int, int, int, int, short\*, int)
Shadow bytes around the buggy address:
  0x0c567fffd250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffd260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffd270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffd280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c567fffd290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c567fffd2a0: 00 00 fa\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffd2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffd2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffd2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffd2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c567fffd2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==61372\==ABORTING

**POC**

https://github.com/FDU-Sec/poc/blob/main/libde265/poc11-1  
https://github.com/FDU-Sec/poc/blob/main/libde265/poc11-2

**Environment**

Ubuntu 16.04
Clang 10.0.1
gcc 5.5

**Credit**

Peng Deng (Fudan University)

CVE-2022-43249: Heap-buffer-overflow in fallback-motion.cc: void put_epel_hv_fallback<unsigned short>( · Issue #345 · strukturag/libde265

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via put_qpel_fallback<unsigned short> in fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

**Description**

Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x14b860) in void put\_qpel\_fallback(short\*, long, unsigned short const\*, long, int, int, short\*, int, int, int)

**Version**

$ ./dec265 -h
 dec265  v1.0.8
--------------
usage: dec265 \[options\] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

**Replay**

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE\_CXX\_FLAGS="\-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc8-1
./dec265/dec265 poc8-2
./dec265/dec265 poc8-3
./dec265/dec265 poc8-4

**ASAN**

WARNING: end\_of\_sub\_stream\_one\_bit not set to 1 when it should be
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==55253==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00001ac80 at pc 0x7f7d9b220861 bp 0x7fffdce0f670 sp 0x7fffdce0f660
READ of size 2 at 0x62f00001ac80 thread T0
    #0 0x7f7d9b220860 in void put\_qpel\_fallback<unsigned short>(short\*, long, unsigned short const\*, long, int, int, short\*, int, int, int) (/libde265/build/libde265/liblibde265.so+0x14b860)
    #1 0x7f7d9b21c05c in put\_qpel\_0\_3\_fallback\_16(short\*, long, unsigned short const\*, long, int, int, short\*, int) (/libde265/build/libde265/liblibde265.so+0x14705c)
    #2 0x7f7d9b24c40d in acceleration\_functions::put\_hevc\_qpel(short\*, long, void const\*, long, int, int, short\*, int, int, int) const (/libde265/build/libde265/liblibde265.so+0x17740d)
    #3 0x7f7d9b24cee6 in void mc\_luma<unsigned short>(base\_context const\*, seq\_parameter\_set const\*, int, int, int, int, short\*, int, unsigned short const\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x177ee6)
    #4 0x7f7d9b23e837 in generate\_inter\_prediction\_samples(base\_context\*, slice\_segment\_header const\*, de265\_image\*, int, int, int, int, int, int, int, PBMotion const\*) (/libde265/build/libde265/liblibde265.so+0x169837)
    #5 0x7f7d9b24b90f in decode\_prediction\_unit(base\_context\*, slice\_segment\_header const\*, de265\_image\*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x17690f)
    #6 0x7f7d9b2867e3 in read\_prediction\_unit(thread\_context\*, int, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b17e3)
    #7 0x7f7d9b288333 in read\_coding\_unit(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b3333)
    #8 0x7f7d9b289250 in read\_coding\_quadtree(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4250)
    #9 0x7f7d9b289091 in read\_coding\_quadtree(thread\_context\*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4091)
    #10 0x7f7d9b280726 in read\_coding\_tree\_unit(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1ab726)
    #11 0x7f7d9b2899ea in decode\_substream(thread\_context\*, bool, bool) (/libde265/build/libde265/liblibde265.so+0x1b49ea)
    #12 0x7f7d9b28b70f in read\_slice\_segment\_data(thread\_context\*) (/libde265/build/libde265/liblibde265.so+0x1b670f)
    #13 0x7f7d9b1ea6d2 in decoder\_context::decode\_slice\_unit\_sequential(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x1156d2)
    #14 0x7f7d9b1eaec1 in decoder\_context::decode\_slice\_unit\_parallel(image\_unit\*, slice\_unit\*) (/libde265/build/libde265/liblibde265.so+0x115ec1)
    #15 0x7f7d9b1e9c0f in decoder\_context::decode\_some(bool\*) (/libde265/build/libde265/liblibde265.so+0x114c0f)
    #16 0x7f7d9b1e993d in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) (/libde265/build/libde265/liblibde265.so+0x11493d)
    #17 0x7f7d9b1ec43e in decoder\_context::decode\_NAL(NAL\_unit\*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #18 0x7f7d9b1ecab3 in decoder\_context::decode(int\*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #19 0x7f7d9b1d3e95 in de265\_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #20 0x55ae31f1cbc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #21 0x7f7d9ad05c86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)
    #22 0x55ae31f1a9b9 in \_start (/libde265/build/dec265/dec265+0x49b9)

0x62f00001ac80 is located 112 bytes to the right of 51216-byte region \[0x62f00000e400,0x62f00001ac10)
allocated by thread T0 here:
    #0 0x7f7d9b6fc790 in posix\_memalign (/usr/lib/x86\_64-linux-gnu/libasan.so.4+0xdf790)
    #1 0x7f7d9b2251cb in ALLOC\_ALIGNED(unsigned long, unsigned long) (/libde265/build/libde265/liblibde265.so+0x1501cb)
    #2 0x7f7d9b22592a in de265\_image\_get\_buffer(void\*, de265\_image\_spec\*, de265\_image\*, void\*) (/libde265/build/libde265/liblibde265.so+0x15092a)
    #3 0x7f7d9b227d1a in de265\_image::alloc\_image(int, int, de265\_chroma, std::shared\_ptr<seq\_parameter\_set const>, bool, decoder\_context\*, long, void\*, bool) (/libde265/build/libde265/liblibde265.so+0x152d1a)
    #4 0x7f7d9b20c0cc in decoded\_picture\_buffer::new\_image(std::shared\_ptr<seq\_parameter\_set const>, decoder\_context\*, long, void\*, bool) (/libde265/build/libde265/liblibde265.so+0x1370cc)
    #5 0x7f7d9b1ed824 in decoder\_context::generate\_unavailable\_reference\_picture(seq\_parameter\_set const\*, int, bool) (/libde265/build/libde265/liblibde265.so+0x118824)
    #6 0x7f7d9b1f0332 in decoder\_context::process\_reference\_picture\_set(slice\_segment\_header\*) (/libde265/build/libde265/liblibde265.so+0x11b332)
    #7 0x7f7d9b1f3d70 in decoder\_context::process\_slice\_segment\_header(slice\_segment\_header\*, de265\_error\*, long, nal\_header\*, void\*) (/libde265/build/libde265/liblibde265.so+0x11ed70)
    #8 0x7f7d9b1e9246 in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) (/libde265/build/libde265/liblibde265.so+0x114246)
    #9 0x7f7d9b1ec43e in decoder\_context::decode\_NAL(NAL\_unit\*) (/libde265/build/libde265/liblibde265.so+0x11743e)
    #10 0x7f7d9b1ecab3 in decoder\_context::decode(int\*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
    #11 0x7f7d9b1d3e95 in de265\_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
    #12 0x55ae31f1cbc9 in main (/libde265/build/dec265/dec265+0x6bc9)
    #13 0x7f7d9ad05c86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x14b860) in void put\_qpel\_fallback<unsigned short\>(short\*, long, unsigned short const\*, long, int, int, short\*, int, int, int)
Shadow bytes around the buggy address:
  0x0c5e7fffb540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffb580: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c5e7fffb590:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffb5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
\==55253\==ABORTING

**POC**

https://github.com/FDU-Sec/poc/blob/main/libde265/poc8-1  
https://github.com/FDU-Sec/poc/blob/main/libde265/poc8-2  
https://github.com/FDU-Sec/poc/blob/main/libde265/poc8-3  
https://github.com/FDU-Sec/poc/blob/main/libde265/poc8-4

**Environment**

Ubuntu 16.04
Clang 10.0.1
gcc 5.5

**Credit**

Peng Deng (Fudan University)

CVE-2022-43244: Heap-buffer-overflow in fallback-motion.cc: in void put_qpel_fallback<unsigned short> · Issue #342 · strukturag/libde265

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.
The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.
According to Malwarebytes, the websites are designed to generate

A set of four Android apps released by the same developer has been discovered directing victims to malicious websites as part of an adware and information-stealing campaign.

The apps, published by a developer named Mobile apps Group and currently available on the Play Store, have been collectively downloaded over one million times.

According to Malwarebytes, the websites are designed to generate revenues through pay-per-click ads, and worse, prompt users to install cleaner apps on their phones with the goal of deploying additional malware.

The list of apps is as follows -

*   Bluetooth App Sender (com.bluetooth.share.app) - 50,000+ downloads
*   Bluetooth Auto Connect (com.bluetooth.autoconnect.anybtdevices) - 1,000,000+ downloads
*   Driver: Bluetooth, Wi-Fi, USB (com.driver.finder.bluetooth.wifi.usb) - 10,000+ downloads
*   Mobile transfer: smart switch (com.mobile.faster.transfer.smart.switch) - 1,000+ downloads

It's no surprise that malicious apps have devised new ways to get past Google Play Store security protections. One of the more popular tactics adopted by threat actors is to introduce time-based delays to conceal their malicious behavior.

Malwarebytes' analysis found the apps to have an approximately four-day waiting period before opening the first phishing site in Chrome browser, and then proceed to launch more tabs every two hours.

The apps are part of a broader malware operation called HiddenAds, which has been active since at least June 2019 and has a track record of illicitly earning revenues by redirecting users to advertisements.

The findings also come as researchers from Guardio Labs disclosed details of a malvertising campaign dubbed Dormant Colors that leverages rogue Google Chrome and Microsoft Edge extensions to hijack user search queries to an actor-controlled domain.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites

Type confusion in V8 in Google Chrome prior to 107.0.5304.87 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3723

Use after free in Feedback service on Chrome OS in Google Chrome on Chrome OS prior to 107.0.5304.62 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. (Chrome security severity: Medium)

CVE-2022-3658

Inappropriate implementation in Full screen mode in Google Chrome on Android prior to 107.0.5304.62 allowed a remote attacker to hide the contents of the Omnibox (URL bar) via a crafted HTML page. (Chrome security severity: Medium)

CVE-2022-3660

Use after free in Layout in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

CVE-2022-3654

Type confusion in V8 in Google Chrome prior to 107.0.5304.62 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chrome security severity: High)

Tag

#chrome