In the Linux kernel before 5.16, tools/perf/util/expr.c lacks a check for the hashmap__new return value.

CVE-2023-23003

** DISPUTED ** In the Linux kernel before 6.2, mm/memory-tiers.c misinterprets the alloc_memory_type return value (expects it to be NULL in the error case, whereas it is actually an error pointer). NOTE: this is disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached.

Permalink

Browse files

mm/demotion: fix NULL vs IS\_ERR checking in memory\_tier\_init

alloc\_memory\_type() returns error pointers on error instead of NULL.  Use
IS\_ERR() to check the return value to fix this.

Link: https://lkml.kernel.org/r/20221110030751.1627266-1-linmq006@gmail.com
Fixes: 7b88bda ("mm/demotion/dax/kmem: set node's abstract distance to MEMTIER\_DEFAULT\_DAX\_ADISTANCE")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
Cc: Wei Xu <weixugc@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

*   Loading branch information

CVE-2023-23005: mm/demotion: fix NULL vs IS_ERR checking in memory_tier_init · torvalds/linux@4a625ce

In the Linux kernel before 5.15.13, drivers/net/ethernet/mellanox/mlx5/core/steering/dr_domain.c misinterprets the mlx5_get_uars_page return value (expects it to be NULL in the error case, whereas it is actually an error pointer).

Browse files

net/mlx5: DR, Fix NULL vs IS\_ERR checking in dr\_domain\_init\_resources

The mlx5\_get\_uars\_page() function  returns error pointers.
Using IS\_ERR() to check the return value to fix this.

Fixes: 4ec9e7b ("net/mlx5: DR, Expose steering domain functionality")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>

*   Loading branch information

Yuuoniy authored and Saeed Mahameed committed

Dec 23, 2021

1 parent d1652b7 commit 6b8b425

CVE-2023-23006: net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources · torvalds/linux@6b8b425

An infamous Chinese cyber-hacking team has extended its SysUpdate malware framework to target Linux systems.

A pervasive cyber-espionage group known as Iron Tiger, believed to be out of China, has updated one of its malware frameworks to attack Linux-based systems.

Researchers at Trend Micro recently discovered that Iron Tiger (aka Emissary Panda or APT27) had added new features to its so called SysUpdate malware family, which allows it to infect Linux platforms in addition to Windows. SysUpdate abuses system services, grabs screenshots, browses and terminates processes, retrieves drive information, executes commands, and can find, delete, rename, upload, and download files as well as peruse a victim's file directory.

One other new feature the firm found with the newest version of SysUpdate: command-and-control communications via DNS TXT requests. "While DNS is not supposed to be a communication protocol, the attacker abuses this protocol to send and receive information," the researchers wrote in a blog post about their findings.

Iron Tiger was among a group of five cyber-espionage groups flagged in 2020 by BlackBerry as targeting Linux-based systems.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Linux Support Expands Cyber Spy Group's Arsenal

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_unweighted_pred_16_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

**Description**

NULL Pointer Dereference in function put\_unweighted\_pred\_16\_fallback at fallback-motion.cc:179

**Version**

    git log
    commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD)
    Author: Dirk Farin <dirk.farin@gmail.com>
    Date:   Sat Jan 28 15:03:34 2023 +0100
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv09.bin
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: slice header invalid
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: slice header invalid
    WARNING: slice header invalid
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: slice header invalid
    WARNING: non-existing PPS referenced
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3774965==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555555e7237 bp 0x7ffffffe28d0 sp 0x7ffffffe2880 T0)
    ==3774965==The signal is caused by a WRITE memory access.
    ==3774965==Hint: address points to the zero page.
        #0 0x5555555e7236 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int) /home/fuzz/libde265/libde265/fallback-motion.cc:179
        #1 0x5555557b9ed3 in acceleration_functions::put_unweighted_pred(void*, long, short const*, long, int, int, int) const ../libde265/acceleration.h:262
        #2 0x5555557a2a90 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:611
        #3 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155
        #4 0x555555683316 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
        #5 0x5555556878c1 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4497
        #6 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #7 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
        #8 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #9 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #10 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #11 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #12 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #13 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
        #14 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
        #15 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
        #16 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
        #17 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
        #18 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
        #19 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/fuzz/libde265/libde265/fallback-motion.cc:179 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)
    ==3774965==ABORTING
    

**POC**

poc\_segv09.bin

**GDB**

    gdb --args ./dec265 ./poc_segv09.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: slice header invalid
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: slice header invalid
    WARNING: slice header invalid
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: slice header invalid
    WARNING: non-existing PPS referenced
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00005555555e7237 in put_unweighted_pred_16_fallback (dst=0x0, dststride=0, src=0x7ffffffe6c00, srcstride=8, width=8, height=8, bit_depth=10) at fallback-motion.cc:179
    179           out[0] = Clip_BitDepth((in[0] + offset1)>>shift1, bit_depth);
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x00005555555e7226  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1689 test   %sil,%sil
     0x00005555555e7229  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1692 je     0x5555555e7233 <put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1702>
     0x00005555555e722b  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1694 mov    %rdx,%rdi
     0x00005555555e722e  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1697 callq  0x555555570ef0 <__asan_report_store2@plt>
     0x00005555555e7233  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1702 mov    -0x8(%rbp),%rdx
     0x00005555555e7237  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1706 mov    %cx,(%rdx)
     0x00005555555e723a  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1709 mov    -0x10(%rbp),%rdx
     0x00005555555e723e  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1713 lea    0x2(%rdx),%rsi
     0x00005555555e7242  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1717 mov    %rsi,%rdx
     0x00005555555e7245  put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1720 mov    %rdx,%rcx
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ─────────────────────────────────────────────────────────────���─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x000055555581d520        rbx 0x00007ffffffeed20     rcx 0x0000000000000000     rdx 0x0000000000000000     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x00007ffffffe2880     rsp 0x00007ffffffe2830
          r8 0x0000000000000001         r9 0x0000000000000008     r10 0x00005555555e6b8d     r11 0x0000000000000020     r12 0x000055555581d520     r13 0x0000000000000010     r14 0x00000fffffffc54c     r15 0x00007ffffffe2a60
         rip 0x00005555555e7237     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     174    for (int y=0;y<height;y++) {
     175      const int16_t* in  = &src[y*srcstride];
     176      uint16_t* out = &dst[y*dststride];
     177  
     178      for (int x=0;x<width;x+=2) {
     179        out[0] = Clip_BitDepth((in[0] + offset1)>>shift1, bit_depth);
     180        out[1] = Clip_BitDepth((in[1] + offset1)>>shift1, bit_depth);
     181        out+=2; in+=2;
     182      }
     183    }
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x00005555555e7237 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1706 at fallback-motion.cc:179
    [1] from 0x00005555557b9ed4 in acceleration_functions::put_unweighted_pred(void*, long, short const*, long, int, int, int) const+484 at ../libde265/acceleration.h:262
    [2] from 0x00005555557a2a91 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+22773 at motion.cc:611
    [3] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155
    [4] from 0x0000555555683317 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int)+2790 at slice.cc:4136
    [5] from 0x00005555556878c2 in read_coding_unit(thread_context*, int, int, int, int)+14437 at slice.cc:4497
    [6] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
    [7] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
    [8] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
    [9] from 0x000055555568ea40 in read_slice_segment_data(thread_context*)+1762 at slice.cc:5054
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 3779666 name dec265 from 0x00005555555e7237 in put_unweighted_pred_16_fallback(unsigned short*, long, short const*, long, int, int, int)+1706 at fallback-motion.cc:179
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg dst = 0x0: Cannot access memory at address 0x0, dststride = 0, src = 0x7ffffffe6c00: 0, srcstride = 8, width = 8, height = 8, bit_depth = 10
    loc x = 0, in = 0x7ffffffe6c00: 0, out = 0x0: Cannot access memory at address 0x0, y = 0, shift1 = 4, offset1 = 8, __PRETTY_FUNCTION__ = "void put_unweighted_pred_16_fallback(uint16_t*, ptrdiff_t, const int16_t*, ptrdiff_t, int, int, int…
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

CVE-2023-24757: NULL Pointer Dereference in function put_unweighted_pred_16_fallback at fallback-motion.cc:179 · Issue #385 · strukturag/libde265

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the mc_chroma function at motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

**Description**

NULL Pointer Dereference in function mc\_chroma at motion.cc:244

**Version**

    git log
    commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv03.bin
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7799==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55b3b6a88832 bp 0x7ffcc9fb8d30 sp 0x7ffcc9fb5180 T0)
    ==7799==The signal is caused by a READ memory access.
    ==7799==Hint: address points to the zero page.
        #0 0x55b3b6a88831 in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:244
        #1 0x55b3b6a80067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412
        #2 0x55b3b6a80edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141
        #3 0x55b3b6968fb7 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
        #4 0x55b3b6971418 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4504
        #5 0x55b3b69752e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #6 0x55b3b69773db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #7 0x55b3b697a0c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #8 0x55b3b6883487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #9 0x55b3b6886ca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #10 0x55b3b6887934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #11 0x55b3b688d902 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1338
        #12 0x55b3b6852f9d in main /home/fuzz/libde265/dec265/dec265.cc:764
        #13 0x7f184b1ce082 in __libc_start_main ../csu/libc-start.c:308
        #14 0x55b3b68570dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/fuzz/libde265/libde265/motion.cc:244 in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)
    ==7799==ABORTING
    

**POC**

poc\_segv03.bin

**GDB**

    gdb --args ./dec265 ./poc_segv03.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00005555557c2324 in mc_chroma<unsigned char> (ctx=0x621000000100, sps=0x629000005210, mv_x=0, mv_y=2, xP=0, yP=0, out=0x7ffffffe6d60, out_stride=16, ref=0x0, ref_stride=0, nPbWC=8, nPbHC=16, bit_depth_C=8) at motion.cc:244
    244               padbuf[x+extra_left + (y+extra_top)*(MAX_CU_SIZE+16)] = ref[ xA + yA*ref_stride ];
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x00005555557c2316  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6304 and    %edi,%edx
     0x00005555557c2318  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6306 test   %dl,%dl
     0x00005555557c231a  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6308 je     0x5555557c2324 <mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318>
     0x00005555557c231c  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6310 mov    %rax,%rdi
     0x00005555557c231f  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6313 callq  0x555555570dd0 <__asan_report_load1@plt>
     0x00005555557c2324  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318 movzbl (%rcx),%ecx
     0x00005555557c2327  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6321 lea    -0x1610(%r15),%rdx
     0x00005555557c232e  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6328 movslq %esi,%rax
     0x00005555557c2331  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6331 add    %rdx,%rax
     0x00005555557c2334  mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6334 mov    %rax,%rdx
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x0000000000000000        rbx 0x000055555581d4e0     rcx 0x0000000000000000     rdx 0x0000000000000000     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x00007ffffffe29f0     rsp 0x00007ffffffdee60
          r8 0x0000000000000000         r9 0x0000000000000000     r10 0x00007ffffffe2a10     r11 0x00007ffffffe6d60     r12 0x00007ffffffe2a10     r13 0x00000fffffffbde0     r14 0x00007ffffffdef00     r15 0x00007ffffffe29c0
         rip 0x00005555557c2324     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     239          for (int x=-extra_left;x<nPbWC+extra_right;x++) {
     240  
     241            int xA = Clip3(0,wC-1,x + xIntOffsC);
     242            int yA = Clip3(0,hC-1,y + yIntOffsC);
     243  
     244            padbuf[x+extra_left + (y+extra_top)*(MAX_CU_SIZE+16)] = ref[ xA + yA*ref_stride ];
     245          }
     246        }
     247  
     248        src_ptr = &padbuf[extra_left + extra_top*(MAX_CU_SIZE+16)];
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x00005555557c2324 in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318 at motion.cc:244
    [1] from 0x000055555579fcb0 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+11224 at motion.cc:412
    [2] from 0x00005555557b92dd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2141
    [3] from 0x0000555555683258 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int)+2790 at slice.cc:4136
    [4] from 0x0000555555687afa in read_coding_unit(thread_context*, int, int, int, int)+15196 at slice.cc:4504
    [5] from 0x0000555555689d5e in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
    [6] from 0x00005555556729f1 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
    [7] from 0x000055555568aec2 in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
    [8] from 0x000055555568e986 in read_slice_segment_data(thread_context*)+1762 at slice.cc:5054
    [9] from 0x000055555558c18a in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*)+3516 at decctx.cc:852
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 14091 name dec265 from 0x00005555557c2324 in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+6318 at motion.cc:244
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg ctx = 0x621000000100: {<error_queue> = {warnings = {[0] = DE265_WARNING_CTB_OUTSIDE_IMAGE_AREA, […, sps = 0x629000005210: {sps_read = true,video_parameter_set_id = 12 '\f',sps_max_sub_layers = 5 '\…, mv_x = 0, mv_y = 2, xP = 0, yP = 0, out = 0x7ffffffe6d60: 0, out_stride = 16, ref = 0x0: Cannot access memory at address 0x0, ref_stride = 0, nPbWC = 8, nPbHC = 16, bit_depth_C = 8
    loc xA = 0, yA = 0, x = -1, y = -1, padbuf = '\000' <repeats 5359 times>, src_ptr = 0x0: Cannot access memory at address 0x0, src_stride = 0, extra_left = 1, extra_right = 2, extra_bottom = 2, extra_top = 1, __PRETTY_FUNCTION__ = "void mc_chroma(const base_context*, const seq_parameter_set*, int, int, int, int, int16_t*, int, co…, shift3 = 6, wC = 16, hC = 48, xFracC = 0, yFracC = 2, xIntOffsC = 0, yIntOffsC = 0, mcbuffer = {[0] = 0 <repeats 4544 times>}
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> p ref
    $1 = (const unsigned char *) 0x0
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

CVE-2023-24751: NULL Pointer Dereference in function mc_chroma at motion.cc:244 · Issue #379 · strukturag/libde265

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_weighted_pred_avg_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

**Description**

NULL Pointer Dereference in function ff\_hevc\_put\_weighted\_pred\_avg\_8\_sse at sse-motion.cc:237

**Version**

    git log
    commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD)
    Author: Dirk Farin <dirk.farin@gmail.com>
    Date:   Sat Jan 28 15:03:34 2023 +0100
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv05.bin
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3328352==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555570c29d bp 0x7ffffffe28c0 sp 0x7ffffffe24d0 T0)
    ==3328352==The signal is caused by a WRITE memory access.
    ==3328352==Hint: address points to the zero page.
        #0 0x55555570c29c in _mm_storeu_si128(long long __vector(2)*, long long __vector(2)) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:727
        #1 0x55555570c29c in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int) /home/fuzz/libde265/libde265/x86/sse-motion.cc:237
        #2 0x5555557b9c19 in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const ../libde265/acceleration.h:249
        #3 0x5555557a1a6a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:544
        #4 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155
        #5 0x555555683316 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4136
        #6 0x5555556878c1 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4497
        #7 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #8 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
        #9 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #10 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #11 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #12 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #13 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #14 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
        #15 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
        #16 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
        #17 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
        #18 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
        #19 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
        #20 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:727 in _mm_storeu_si128(long long __vector(2)*, long long __vector(2))
    ==3328352==ABORTING
    

**POC**

poc\_segv05.bin

**GDB**

    gdb --args ./dec265 ./poc_segv05.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000055555570c29d in _mm_storeu_si128(long long __vector(2)*, long long __vector(2)) (__B=..., __P=0x0) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:727
    727       *__P = __B;
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x000055555570c281  _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+101 mov    $0x10,%esi
     0x000055555570c286  _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+106 mov    %rdx,%rdi
     0x000055555570c289  _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+109 callq  0x555555571040 <__asan_report_store_n@plt>
     0x000055555570c28e  _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+114 movdqa -0x250(%rbp),%xmm0
     0x000055555570c296  _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+122 mov    -0x380(%rbp),%rdx
     0x000055555570c29d  _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+129 movups %xmm0,(%rdx)
     0x000055555570c2a0  _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+132 nop
    ~
    ~
    ~
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x000055555581d520        rbx 0x00007ffffffeed20     rcx 0x0000000000000000     rdx 0x0000000000000000     rsi 0x0000000000000007     rdi 0x0000000000000000     rbp 0x00007ffffffe2870     rsp 0x00007ffffffe2480
          r8 0x0000000000000000         r9 0x0000000000000040     r10 0x0000000000000040     r11 0x0000000000000040     r12 0x000055555581d520     r13 0x0000000000000010     r14 0x00000fffffffc54c     r15 0x00007ffffffe2a60
         rip 0x000055555570c29d     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     722  }
     723  
     724  extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     725  _mm_storeu_si128 (__m128i_u *__P, __m128i __B)
     726  {
     727    *__P = __B;
     728  }
     729  
     730  extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     731  _mm_storel_epi64 (__m128i_u *__P, __m128i __B)
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x000055555570c29d in _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+129 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:727
    [1] from 0x000055555570c29d in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int)+1711 at sse-motion.cc:237
    [2] from 0x00005555557b9c1a in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const+282 at ../libde265/acceleration.h:249
    [3] from 0x00005555557a1a6b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+18639 at motion.cc:544
    [4] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155
    [5] from 0x0000555555683317 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int)+2790 at slice.cc:4136
    [6] from 0x00005555556878c2 in read_coding_unit(thread_context*, int, int, int, int)+14437 at slice.cc:4497
    [7] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
    [8] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
    [9] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 3335404 name dec265 from 0x000055555570c29d in _mm_storeu_si128(long long __vector(2)*, long long __vector(2))+129 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:727
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg __B = {[0] = 0, [1] = 0}, __P = 0x0: Cannot access memory at address 0x0
    loc x = 0, y = 0, dst = 0x0: Cannot access memory at address 0x0, r0 = {[0] = 0, [1] = 0}, r1 = {[0] = 0, [1] = 0}, f0 = {[0] = 18014673391583296, [1] = 18014673391583296}, r2 = {[0] = 0, [1] = 0}, r3 = {[0] = 0, [1] = 0}
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

CVE-2023-24754: NULL Pointer Dereference in function ff_hevc_put_weighted_pred_avg_8_sse at sse-motion.cc:237 · Issue #382 · strukturag/libde265

**Description**

NULL Pointer Dereference in function ff\_hevc\_put\_weighted\_pred\_avg\_8\_sse at sse-motion.cc:254

**Version**

    git log
    commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD)
    Author: Dirk Farin <dirk.farin@gmail.com>
    Date:   Sat Jan 28 15:03:34 2023 +0100
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv06.bin
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3499875==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555570c79d bp 0x7ffffffe28e0 sp 0x7ffffffe24f0 T0)
    ==3499875==The signal is caused by a WRITE memory access.
    ==3499875==Hint: address points to the zero page.
        #0 0x55555570c79c in _mm_storel_epi64(long long __vector(2)*, long long __vector(2)) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
        #1 0x55555570c79c in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int) /home/fuzz/libde265/libde265/x86/sse-motion.cc:254
        #2 0x5555557b9c19 in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const ../libde265/acceleration.h:249
        #3 0x5555557a1a6a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:544
        #4 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155
        #5 0x5555556848c0 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
        #6 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #7 0x555555689940 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4635
        #8 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
        #9 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #10 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #11 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #12 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #13 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #14 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
        #15 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
        #16 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
        #17 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
        #18 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
        #19 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
        #20 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733 in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))
    ==3499875==ABORTING
    

**POC**

poc\_segv06.bin

**GDB**

    gdb --args ./dec265 ./poc_segv06.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000055555570c79d in _mm_storel_epi64(long long __vector(2)*, long long __vector(2)) (__B=..., __P=0x0) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
    733       *(__m64_u *)__P = (__m64) ((__v2di)__B)[0];
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x000055555570c787  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+109 je     0x55555570c796 <ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int)+2984>
     0x000055555570c789  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+111 mov    $0x8,%esi
     0x000055555570c78e  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+116 mov    %rdx,%rdi
     0x000055555570c791  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+119 callq  0x555555571040 <__asan_report_store_n@plt>
     0x000055555570c796  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+124 mov    -0x358(%rbp),%rdx
     0x000055555570c79d  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 mov    %r8,(%rdx)
     0x000055555570c7a0  _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+134 nop
    ~
    ~
    ~
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x000055555581d520        rbx 0x00007ffffffeed40     rcx 0x0000000000000000     rdx 0x0000000000000000     rsi 0x0000000000000007     rdi 0x0000000000000000     rbp 0x00007ffffffe2890     rsp 0x00007ffffffe24a0
          r8 0x0000000000000000         r9 0x0000000000000000     r10 0x0000000000000040     r11 0x0000000000000040     r12 0x000055555581d520     r13 0x0000000000000010     r14 0x00000fffffffc550     r15 0x00007ffffffe2a80
         rip 0x000055555570c79d     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     728  }
     729  
     730  extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     731  _mm_storel_epi64 (__m128i_u *__P, __m128i __B)
     732  {
     733    *(__m64_u *)__P = (__m64) ((__v2di)__B)[0];
     734  }
     735  
     736  extern __inline void __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     737  _mm_storeu_si64 (void *__P, __m128i __B)
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x000055555570c79d in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
    [1] from 0x000055555570c79d in ff_hevc_put_weighted_pred_avg_8_sse(unsigned char*, long, short const*, short const*, long, int, int)+2991 at sse-motion.cc:254
    [2] from 0x00005555557b9c1a in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const+282 at ../libde265/acceleration.h:249
    [3] from 0x00005555557a1a6b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+18639 at motion.cc:544
    [4] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155
    [5] from 0x00005555556848c1 in read_coding_unit(thread_context*, int, int, int, int)+2148 at slice.cc:4314
    [6] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
    [7] from 0x0000555555689941 in read_coding_quadtree(thread_context*, int, int, int, int)+2634 at slice.cc:4635
    [8] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
    [9] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 3508110 name dec265 from 0x000055555570c79d in _mm_storel_epi64(long long __vector(2)*, long long __vector(2))+131 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:733
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg __B = {[0] = 0, [1] = 0}, __P = 0x0: Cannot access memory at address 0x0
    loc x = 0, y = 0, dst = 0x0: Cannot access memory at address 0x0, r0 = {[0] = 0, [1] = 0}, r1 = {[0] = 0, [1] = 0}, f0 = {[0] = 18014673391583296, [1] = 18014673391583296}, r2 = {[0] = 0, [1] = 0}, r3 = {[0] = 0, [1] = 0}
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

CVE-2023-24758: NULL Pointer Dereference in function ff_hevc_put_weighted_pred_avg_8_sse at sse-motion.cc:254 · Issue #383 · strukturag/libde265

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the put_weighted_pred_8_fallback function at fallback-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

**Description**

NULL Pointer Dereference in function put\_weighted\_pred\_8\_fallback at fallback-motion.cc:69

**Version**

    git log
    commit 7ea8e3cbb010bc02fa38419e87ed2281d7933850 (HEAD -> master, origin/master, origin/HEAD)
    Author: Dirk Farin <dirk.farin@gmail.com>
    Date:   Sat Jan 28 15:03:34 2023 +0100
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv08.bin
    WARNING: non-existing PPS referenced
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3596870==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555555e5c61 bp 0x7ffffffe2930 sp 0x7ffffffe28e0 T0)
    ==3596870==The signal is caused by a WRITE memory access.
    ==3596870==Hint: address points to the zero page.
        #0 0x5555555e5c60 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int) /home/fuzz/libde265/libde265/fallback-motion.cc:69
        #1 0x5555557ba002 in acceleration_functions::put_weighted_pred(void*, long, short const*, long, int, int, int, int, int, int) const ../libde265/acceleration.h:272
        #2 0x5555557a124f in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:512
        #3 0x5555557b973e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2155
        #4 0x5555556848c0 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
        #5 0x555555689e17 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #6 0x555555672a97 in read_coding_tree_unit(thread_context*) /home/fuzz/libde265/libde265/slice.cc:2861
        #7 0x55555568af7b in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #8 0x55555568ea3f in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #9 0x55555558c205 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #10 0x55555558d6c0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #11 0x55555558a7dc in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #12 0x555555589efc in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
        #13 0x55555559070e in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
        #14 0x555555592354 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
        #15 0x55555557cffa in de265_decode /home/fuzz/libde265/libde265/de265.cc:362
        #16 0x555555577b2f in main /home/fuzz/libde265/dec265/dec265.cc:764
        #17 0x7ffff7046082 in __libc_start_main ../csu/libc-start.c:308
        #18 0x5555555712ed in _start (/home/fuzz/libde265/dec265/dec265+0x1d2ed)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/fuzz/libde265/libde265/fallback-motion.cc:69 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)
    ==3596870==ABORTING
    

**POC**

poc\_segv08.bin

**GDB**

    gdb --args ./dec265 ./poc_segv08.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    
    Program received signal SIGSEGV, Segmentation fault.
    0x00005555555e5c61 in put_weighted_pred_8_fallback (dst=0x0, dststride=0, src=0x7ffffffe6c90, srcstride=8, width=8, height=8, w=1, o=0, log2WD=6) at fallback-motion.cc:69
    69            out[0] = Clip1_8bit(((in[0]*w + rnd)>>log2WD) + o);
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x00005555555e5c51  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1111 test   %cl,%cl
     0x00005555555e5c53  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1113 je     0x5555555e5c5d <put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1123>
     0x00005555555e5c55  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1115 mov    %rdx,%rdi
     0x00005555555e5c58  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1118 callq  0x555555570e00 <__asan_report_store1@plt>
     0x00005555555e5c5d  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1123 mov    -0x8(%rbp),%rdx
     0x00005555555e5c61  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1127 mov    %dil,(%rdx)
     0x00005555555e5c64  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1130 addq   $0x1,-0x8(%rbp)
     0x00005555555e5c69  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1135 addq   $0x2,-0x10(%rbp)
     0x00005555555e5c6e  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1140 addl   $0x1,-0x18(%rbp)
     0x00005555555e5c72  put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1144 jmpq   0x5555555e5a29 <put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+559>
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x000055555581d520        rbx 0x00007ffffffeedb0     rcx 0x0000000000000000     rdx 0x0000000000000000     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x00007ffffffe28e0     rsp 0x00007ffffffe2890
          r8 0x0000000000000000         r9 0x0000000000000008     r10 0x00005555555e57fa     r11 0x0000000000000000     r12 0x000055555581d520     r13 0x0000000000000010     r14 0x00000fffffffc55e     r15 0x00007ffffffe2af0
         rip 0x00005555555e5c61     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     64    for (int y=0;y<height;y++) {
     65      const int16_t* in  = &src[y*srcstride];
     66      uint8_t* out = &dst[y*dststride];
     67  
     68      for (int x=0;x<width;x++) {
     69        out[0] = Clip1_8bit(((in[0]*w + rnd)>>log2WD) + o);
     70        out++; in++;
     71      }
     72    }
     73  }
    ─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [0] from 0x00005555555e5c61 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1127 at fallback-motion.cc:69
    [1] from 0x00005555557ba003 in acceleration_functions::put_weighted_pred(void*, long, short const*, long, int, int, int, int, int, int) const+295 at ../libde265/acceleration.h:272
    [2] from 0x00005555557a1250 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+16564 at motion.cc:512
    [3] from 0x00005555557b973f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+496 at motion.cc:2155
    [4] from 0x00005555556848c1 in read_coding_unit(thread_context*, int, int, int, int)+2148 at slice.cc:4314
    [5] from 0x0000555555689e18 in read_coding_quadtree(thread_context*, int, int, int, int)+3873 at slice.cc:4652
    [6] from 0x0000555555672a98 in read_coding_tree_unit(thread_context*)+1351 at slice.cc:2861
    [7] from 0x000055555568af7c in decode_substream(thread_context*, bool, bool)+4333 at slice.cc:4741
    [8] from 0x000055555568ea40 in read_slice_segment_data(thread_context*)+1762 at slice.cc:5054
    [9] from 0x000055555558c206 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*)+3516 at decctx.cc:852
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 3600511 name dec265 from 0x00005555555e5c61 in put_weighted_pred_8_fallback(unsigned char*, long, short const*, long, int, int, int, int, int)+1127 at fallback-motion.cc:69
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg dst = 0x0: Cannot access memory at address 0x0, dststride = 0, src = 0x7ffffffe6c90: 0, srcstride = 8, width = 8, height = 8, w = 1, o = 0, log2WD = 6
    loc x = 0, in = 0x7ffffffe6c90: 0, out = 0x0: Cannot access memory at address 0x0, y = 0, __PRETTY_FUNCTION__ = "void put_weighted_pred_8_fallback(uint8_t*, ptrdiff_t, const int16_t*, ptrdiff_t, int, int, int, in…, rnd = 32
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> p out
    $1 = (uint8_t *) 0x0
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

CVE-2023-24755: NULL Pointer Dereference in function put_weighted_pred_8_fallback at fallback-motion.cc:69 · Issue #384 · strukturag/libde265

libde265 v1.0.10 was discovered to contain a NULL pointer dereference in the ff_hevc_put_hevc_epel_pixels_8_sse function at sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input file.

**Description**

NULL Pointer Dereference in function ff\_hevc\_put\_hevc\_epel\_pixels\_8\_sse at sse-motion.cc:987

**Version**

    git log
    commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)
    
    

**Steps to reproduce**

    git clone https://github.com/strukturag/libde265.git
    cd libde265
    ./autogen.sh
    export CFLAGS="-g -O0 -lpthread -fsanitize=address"
    export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
    export LDFLAGS="-fsanitize=address"
    ./configure --disable-shared
    make -j
    

    cd dec265
    ./dec265 ./poc_segv02.bin
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==7777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x561cd0288664 bp 0x000000000008 sp 0x7ffc7e060af0 T0)
    ==7777==The signal is caused by a READ memory access.
    ==7777==Hint: address points to the zero page.
        #0 0x561cd0288663 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
        #1 0x561cd0288663 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /home/fuzz/libde265/libde265/x86/sse-motion.cc:987
        #2 0x561cd032c6ab in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
        #3 0x561cd032c6ab in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:205
        #4 0x561cd0323067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412
        #5 0x561cd0323edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141
        #6 0x561cd020f601 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314
        #7 0x561cd02182e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652
        #8 0x561cd02188b6 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4638
        #9 0x561cd021a3db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741
        #10 0x561cd021d0c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054
        #11 0x561cd0126487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852
        #12 0x561cd0129ca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954
        #13 0x561cd012a934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739
        #14 0x561cd012e1c7 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697
        #15 0x561cd012f62c in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239
        #16 0x561cd0130df5 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327
        #17 0x561cd00f5f9d in main /home/fuzz/libde265/dec265/dec265.cc:764
        #18 0x7f8428229082 in __libc_start_main ../csu/libc-start.c:308
        #19 0x561cd00fa0dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709 in _mm_loadl_epi64(long long __vector(2) const*)
    ==7777==ABORTING
    

**POC**

poc\_segv02.bin

**GDB**

    gdb --args ./dec265 ./poc_segv02.bin
    
    ─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: maximum number of reference pictures exceeded
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    _mm_loadl_epi64(long long __vector(2) const*) (__P=<optimized out>) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
    709       return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
    ─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     0x0000555555706650  _mm_loadl_epi64(long long __vector(2) const*)+84  setle  %r10b
     0x0000555555706654  _mm_loadl_epi64(long long __vector(2) const*)+88  test   %dil,%dil
     0x0000555555706657  _mm_loadl_epi64(long long __vector(2) const*)+91  setne  %r11b
     0x000055555570665b  _mm_loadl_epi64(long long __vector(2) const*)+95  test   %r11b,%r10b
     0x000055555570665e  _mm_loadl_epi64(long long __vector(2) const*)+98  jne    0x55555570713a <ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+4010>
     0x0000555555706664  _mm_loadl_epi64(long long __vector(2) const*)+104 movq   0x0(%rbp),%xmm7
     0x0000555555706669  _mm_loadl_epi64(long long __vector(2) const*)+109 mov    %r12,%r9
     0x000055555570666c  _mm_loadl_epi64(long long __vector(2) const*)+112 shr    $0x3,%r9
     0x0000555555706670  _mm_loadl_epi64(long long __vector(2) const*)+116 cmpw   $0x0,0x7fff8000(%r9)
     0x0000555555706679  _mm_loadl_epi64(long long __vector(2) const*)+125 punpcklbw %xmm6,%xmm7
    ─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    ─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
         rax 0x0000000000000001        rbx 0x0000000000000000     rcx 0xffffffffffffffe0     rdx 0x00005555557f0fc0     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x0000000000000008     rsp 0x00007ffffffde7f0
          r8 0x0000000000000008         r9 0x0000000000000001     r10 0x0000000000000001     r11 0x0000000000000000     r12 0x00007ffffffe66a0     r13 0x0000000000000000     r14 0x0000000000000008     r15 0x00000aaaaaafe2a1
         rip 0x0000555555706664     eflags [ PF ZF IF RF ]         cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
    ─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     704  }
     705  
     706  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     707  _mm_loadl_epi64 (__m128i_u const *__P)
     708  {
     709    return _mm_set_epi64 ((__m64)0LL, *(__m64_u *)__P);
     710  }
     711  
     712  extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__))
     713  _mm_loadu_si64 (void const *__P)
    ─── Stack ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────���────────────────────────────────────────────────────────────────────
    [0] from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
    [1] from 0x0000555555706664 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+1236 at sse-motion.cc:987
    [2] from 0x00005555557aa6ac in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const+182 at ../libde265/acceleration.h:296
    [3] from 0x00005555557aa6ac in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+7260 at motion.cc:205
    [4] from 0x00005555557a1068 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+26328 at ../libde265/image.h:301
    [5] from 0x00005555557a1ede in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+446 at motion.cc:2141
    [6] from 0x000055555568d602 in read_coding_unit(thread_context*, int, int, int, int)+8402 at slice.cc:4314
    [7] from 0x00005555556962e2 in read_coding_quadtree(thread_context*, int, int, int, int)+2834 at slice.cc:4652
    [8] from 0x00005555556968b7 in read_coding_quadtree(thread_context*, int, int, int, int)+4327 at slice.cc:4638
    [9] from 0x0000555555697b83 in read_coding_tree_unit(thread_context*)+1587 at slice.cc:2861
    [+]
    ─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    [1] id 7781 name dec265 from 0x0000555555706664 in _mm_loadl_epi64(long long __vector(2) const*)+104 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:709
    ─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    arg __P = <optimized out>
    loc x = 0, y = 0, x1 = <optimized out>, x2 = <optimized out>, src = 0x8 <error: Cannot access memory at address 0x8>: Cannot access memory at address 0x8…
    ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    >>> 
    

**Impact**

This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.

Tag

#linux