There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.

Hello,  
There is an Assertion \`scaling\_list\_pred\_matrix\_id\_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (3).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 16
    

3.run dec265

Output

    WARNING: non-existing PPS referenced
    dec265: /home/dh/sda3/libde265-master/libde265-master/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    Aborted(core dumped)
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    dec265-afl++: /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    
    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff6c3a680 (0x00007ffff6c3a680)
    RCX: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff1ab0 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff6f7b588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff1ab0 --> 0x0 
    RIP: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff1ab0 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7538760 ("/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc")
    R13: 0x39d 
    R14: 0x7ffff75388a0 ("scaling_list_pred_matrix_id_delta==1")
    R15: 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6e0617f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff6e06184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff6e06189 <__GI_raise+201>:	syscall 
    => 0x7ffff6e0618b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff6e06193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff6e0619c <__GI_raise+220>:	jne    0x7ffff6e061c4 <__GI_raise+260>
       0x7ffff6e0619e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff6e061a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff1ab0 --> 0x0 
    0008| 0x7fffffff1ab8 --> 0x7ffff768f6f0 (<free>:	endbr64)
    0016| 0x7fffffff1ac0 --> 0xe4e4e4e3fbad8000 
    0024| 0x7fffffff1ac8 --> 0x612000000040 --> 0x612d353606800001 
    0032| 0x7fffffff1ad0 --> 0x6120000000a5 ("265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.\n")
    0040| 0x7fffffff1ad8 --> 0x612000000040 --> 0x612d353606800001 
    0048| 0x7fffffff1ae0 --> 0x612000000040 --> 0x612d353606800001 
    0056| 0x7fffffff1ae8 --> 0x61200000013b --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    
    

source code of sps.cc:925

    912 if (scaling_list_pred_matrix_id_delta==0) {
    913         if (sizeId==0) {
    914           memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
    915          }
    916         else {
    917            if (canonicalMatrixId<3)
    918              { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
    919            else
    920              { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
    921          }
    922        }
    923        else {
    924          // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
    925          if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
    926
    927          int mID = matrixId - scaling_list_pred_matrix_id_delta;
    928
    929          int len = (sizeId == 0 ? 16 : 64);
    930          memcpy(curr_scaling_list, scaling_list[mID], len);
    931
    932          scaling_list_dc_coef       = dc_coeff[sizeId][mID];
    933          dc_coeff[sizeId][matrixId] = dc_coeff[sizeId][mID];
    934        }
    935      }

CVE-2021-36409: There is an Assertion failed at sps.cc · Issue #300 · strukturag/libde265

A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.

Hello,  
A stack-buffer-overflow has occurred when running program dec265  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (4).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265

asan info

    =================================================================
    ==1262407==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffeacbd65e3 at pc 0x7ff9ff7de308 bp 0x7ffeacbd3f00 sp 0x7ffeacbd3ef0
    READ of size 2 at 0x7ffeacbd65e3 thread T0
        #0 0x7ff9ff7de307 in void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/fallback-motion.cc:352
        #1 0x7ff9ff830067 in acceleration_functions::put_hevc_epel_hv(short*, long, void const*, long, int, int, int, int, short*, int) const /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/acceleration.h:328
        #2 0x7ff9ff830067 in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:254
        #3 0x7ff9ff8262ab in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:388
        #4 0x7ff9ff828626 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:2107
        #5 0x7ff9ff89c8aa in read_coding_unit(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4314
        #6 0x7ff9ff8a48f2 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4652
        #7 0x7ff9ff8a4e43 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4638
        #8 0x7ff9ff8a4ace in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4645
        #9 0x7ff9ff8a4db9 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4641
        #10 0x7ff9ff8a6564 in decode_substream(thread_context*, bool, bool) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:4741
        #11 0x7ff9ff8a8ddb in read_slice_segment_data(thread_context*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:5054
        #12 0x7ff9ff78dd75 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:843
        #13 0x7ff9ff790c0f in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:945
        #14 0x7ff9ff791715 in decoder_context::decode_some(bool*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:730
        #15 0x7ff9ff7949bb in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:688
        #16 0x7ff9ff795839 in decoder_context::decode_NAL(NAL_unit*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:1230
        #17 0x7ff9ff796e1e in decoder_context::decode(int*) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/decctx.cc:1318
        #18 0x5573510028fd in main /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/dec265/dec265.cc:764
        #19 0x7ff9ff2e50b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #20 0x55735100576d in _start (/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/out/dec265-afl+++0xa76d)
    
    Address 0x7ffeacbd65e3 is located in stack of thread T0 at offset 9315 in frame
        #0 0x7ff9ff82e67f in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/motion.cc:174
    
      This frame has 2 object(s):
        [32, 9120) 'mcbuffer' (line 200)
        [9392, 14752) 'padbuf' (line 222) <== Memory access at offset 9315 underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/fallback-motion.cc:352 in void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int)
    Shadow bytes around the buggy address:
      0x100055972c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972ca0: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
    =>0x100055972cb0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]f2 f2 f2
      0x100055972cc0: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
      0x100055972cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100055972d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1262407==ABORTING

CVE-2021-36410: stack-buffer-overflow in fallback-motion.cc when decoding file · Issue #301 · strukturag/libde265

An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.

Hello,  
A SEGV of deblock.cc in function derive\_boundaryStrength has occurred when running program dec265，

source code

    283 if ((edgeFlags & transformEdgeMask) &&
    284              (img->get_nonzero_coefficient(xDi   ,yDi) ||
    285               img->get_nonzero_coefficient(xDiOpp,yDiOpp))) {
    286            bS = 1;
    287          }
    288          else {
    289
    290            bS = 0;
    291
    292            const PBMotion& mviP = img->get_mv_info(xDiOpp,yDiOpp);
    293            const PBMotion& mviQ = img->get_mv_info(xDi   ,yDi);
    294
    295            slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp);
    296            slice_segment_header* shdrQ = img->get_SliceHeader(xDi   ,yDi);
    297
    298            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
    299            int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
    300            int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
    301            int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
    302
    303            bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
    304                             (refPicP0==refPicQ1 && refPicP1==refPicQ0));
    

**Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 298 of the code. This issue can cause a Denial of Service attack.**

System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc.zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265(without asan)

Output

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    Segmentation fault(core dumped)
    
    

AddressSanitizer output

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3532158==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000003d0 (pc 0x7f19b4f52978 bp 0x616000001580 sp 0x7fff00e87c20 T0)
    ==3532158==The signal is caused by a READ memory access.
    ==3532158==Hint: address points to the zero page.
        #0 0x7f19b4f52977 in derive_boundaryStrength(de265_image*, bool, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298
        #1 0x7f19b4f56835 in apply_deblocking_filter(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:1046
        #2 0x7f19b4f7e626 in decoder_context::run_postprocessing_filters_sequential(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1880
        #3 0x7f19b4f9baa0 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:769
        #4 0x7f19b4f9f95e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
        #5 0x55704ed8c8fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #6 0x7f19b4aee0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x55704ed8f76d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298 in derive_boundaryStrength(de265_image*, bool, int, int, int, int)
    ==3532158==ABORTING
    
    
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x2 
    RCX: 0x61b000001580 --> 0xbebebebe00000000 
    RDX: 0x0 
    RSI: 0x7a ('z')
    RDI: 0x3d0 
    RBP: 0x616000001580 --> 0xbebebebe00000007 
    RSP: 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    RIP: 0x7ffff724b978 (<derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8])
    R8 : 0x3 
    R9 : 0x0 
    R10: 0x6330000d6800 --> 0x8ffff00000101 
    R11: 0x6330000d6200 --> 0x60101 
    R12: 0x0 
    R13: 0xffffffffffffff90 
    R14: 0x7ffff31ff800 --> 0xbebebebebebebebe 
    R15: 0x6
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff724b96e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6014>:	
        jl     0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>
       0x7ffff724b970 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6016>:	test   dl,dl
       0x7ffff724b972 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6018>:	
        jne    0x7ffff724dd87 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+15255>
    => 0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8]
       0x7ffff724b980 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6032>:	mov    edx,0x376d
       0x7ffff724b985 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6037>:	mov    eax,0xafce
       0x7ffff724b98a <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6042>:	lea    r15,[r11+0x1]
       0x7ffff724b98e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6046>:	mov    rdi,r15
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    0008| 0x7fffffff36e8 --> 0x6160000016f8 --> 0x4000000080 --> 0x0 
    0016| 0x7fffffff36f0 --> 0x6160000016e8 --> 0x625000057900 --> 0x0 
    0024| 0x7fffffff36f8 --> 0xa000000080 --> 0x0 
    0032| 0x7fffffff3700 --> 0x1 
    0040| 0x7fffffff3708 --> 0xbf000000c0 --> 0x0 
    0048| 0x7fffffff3710 --> 0x61600000167c --> 0x4000000003 --> 0x0 
    0056| 0x7fffffff3718 --> 0xff00f800 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff724b978 in derive_boundaryStrength (img=img@entry=0x616000001580, 
        vertical=vertical@entry=0x0, yStart=yStart@entry=0x0, 
        yEnd=<optimized out>, xStart=xStart@entry=0x0, xEnd=<optimized out>)
        at /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/deblock.cc:298
    298	            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;

CVE-2021-36411: A SEGV has occurred when running program dec265 · Issue #302 · strukturag/libde265

A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via media.c, which allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Hello,  
A heap-buffer-overflow has occurred when running program MP4Box,which leads to a Deny of Service caused by dividing zero without sanity check,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc.zip

file: media.c  
function:gf\_isom\_get\_3gpp\_audio\_esd  
line: 105  
As below code shows:

    97		gf_bs_write_data(bs, "\x41\x6D\x7F\x5E\x15\xB1\xD0\x11\xBA\x91\x00\x80\x5F\xB4\xB9\x7E", 16);
    98		gf_bs_write_u16_le(bs, 1);
    99		memset(szName, 0, 80);
    100		strcpy(szName, "QCELP-13K(GPAC-emulated)");
    101		gf_bs_write_data(bs, szName, 80);
    102		ent = &stbl->TimeToSample->entries[0];
    103		sample_rate = entry->samplerate_hi;
    104		block_size = ent ? ent->sampleDelta : 160;
    105		gf_bs_write_u16_le(bs, 8*sample_size*sample_rate/block_size);      <------ block_size can be zero
    106		gf_bs_write_u16_le(bs, sample_size);
    107		gf_bs_write_u16_le(bs, block_size);
    108		gf_bs_write_u16_le(bs, sample_rate);
    109		gf_bs_write_u16_le(bs, entry->bitspersample);
    110		gf_bs_write_u32_le(bs, sample_size ? 0 : 7);
    

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

    ./MP4Box -hint poc -out /dev/null
    

In Command line:

    [iso file] Unknown box type esJs in parent enca
    [iso file] Unknown box type stts in parent enca
    [iso file] Box "enca" (start 1455) has 5 extra bytes
    [iso file] Box "enca" is larger than container box
    [iso file] Box "stsd" size 171 (start 1439) invalid (read 192)
    Floating point exception
    

gdb info

![1625476927(1)](https://user-images.githubusercontent.com/83855894/124471055-ffd3bc80-ddce-11eb-8902-1e7c60e568bb.png)

asan info

    =================================================================
    ==967870==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001874 at pc 0x7f3a53c0836c bp 0x7ffcce36e790 sp 0x7ffcce36e780
    READ of size 4 at 0x602000001874 thread T0
        #0 0x7f3a53c0836b in gf_isom_get_3gpp_audio_esd isomedia/media.c:104
        #1 0x7f3a53c0836b in Media_GetESD isomedia/media.c:330
        #2 0x7f3a53b1ac04 in gf_isom_get_decoder_config isomedia/isom_read.c:1329
        #3 0x7f3a53b56d2e in gf_isom_guess_specification isomedia/isom_read.c:4035
        #4 0x5602827ad1d1 in HintFile /home/.../gpac/gpac-master-A/applications/mp4box/main.c:3379
        #5 0x5602827c4d54 in mp4boxMain /home/.../gpac/gpac-master-A/applications/mp4box/main.c:6297
        #6 0x7f3a52d080b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x560282777f1d in _start (/home/.../gpac/gpac-master-A/bin/gcc/MP4Box+0x48f1d)
    
    0x602000001874 is located 3 bytes to the right of 1-byte region [0x602000001870,0x602000001871)
    allocated by thread T0 here:
        #0 0x7f3a55be6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f3a539e10ec in stts_box_read isomedia/box_code_base.c:5788
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/media.c:104 in gf_isom_get_3gpp_audio_esd
    Shadow bytes around the buggy address:
      0x0c047fff82b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82c0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff82d0: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 00 00
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8300: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa[01]fa
      0x0c047fff8310: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
      0x0c047fff8320: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8330: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8340: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==967870==ABORTING

CVE-2021-36414: heap buffer overflow issue with gpac MP4Box · Issue #1840 · gpac/gpac

A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via the gp_rtp_builder_do_mpeg12_video function, which allows attackers to possibly have unspecified other impact via a crafted file in the MP4Box command,

Hello,  
A heap-buffer-overflow has occurred when running program MP4Box,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc1.zip

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

    ./MP4Box -hint poc -out /dev/null
    

asan info

    =================================================================
    ==2631249==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001bd4 at pc 0x7f2ac7fe5b9b bp 0x7ffc4389ba70 sp 0x7ffc4389ba60
    READ of size 1 at 0x602000001bd4 thread T0
        #0 0x7f2ac7fe5b9a in gp_rtp_builder_do_mpeg12_video ietf/rtp_pck_mpeg12.c:156
        #1 0x7f2ac889948a in gf_hinter_track_process media_tools/isom_hinter.c:808
        #2 0x559f0eb8ae2b in HintFile /home/.../gpac/gpac-master/applications/mp4box/main.c:3499
        #3 0x559f0eba1d54 in mp4boxMain /home/.../gpac/gpac-master/applications/mp4box/main.c:6297
        #4 0x7f2ac74d10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #5 0x559f0eb54f1d in _start (/home/.../gpac/gpac-master/bin/gcc/MP4Boxfl+0x48f1d)
    
    0x602000001bd4 is located 0 bytes to the right of 4-byte region [0x602000001bd0,0x602000001bd4)
    allocated by thread T0 here:
        #0 0x7f2aca3afbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f2ac83d56cd in Media_GetSample isomedia/media.c:617
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ietf/rtp_pck_mpeg12.c:156 in gp_rtp_builder_do_mpeg12_video
    Shadow bytes around the buggy address:
      0x0c047fff8320: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8330: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8340: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff8350: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8360: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8370: fa fa 00 00 fa fa 00 00 fa fa[04]fa fa fa fa fa
      0x0c047fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2631249==ABORTING
    

source code of rtp\_pck\_mpeg12.c

    143 max_pck_size = builder->Path_MTU - 4;
    144
    145	payload = data + offset;
    146	pic_type = (payload[1] >> 3) & 0x7;
    147	/*first 6 bits (MBZ and T bit) not used*/
    148	/*temp ref on 10 bits*/
    149	mpv_hdr[0] = (payload[0] >> 6) & 0x3;
    150	mpv_hdr[1] = (payload[0] << 2) | ((payload[1] >> 6) & 0x3);
    151	mpv_hdr[2] = pic_type;
    152	mpv_hdr[3] = 0;
    153
    154	if ((pic_type==2) || (pic_type== 3)) {
    155		mpv_hdr[3] = (u8) ((((u32)payload[3]) << 5) & 0xf);
    156		if ((payload[4] & 0x80) != 0) mpv_hdr[3] |= 0x10;
    157		if (pic_type == 3) mpv_hdr[3] |= (payload[4] >> 3) & 0xf;
    158	}

CVE-2021-36412: A heap-buffer-overflow in function gp_rtp_builder_do_mpeg12_video · Issue #1838 · gpac/gpac

An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.

Hello,  
A Heap-use-after-free has occurred when running program dec265  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc.zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265

asan info

    =================================================================
    ==1538158==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000007e04 at pc 0x7efe5f2b9526 bp 0x7ffceaaa13c0 sp 0x7ffceaaa13b0
    READ of size 4 at 0x625000007e04 thread T0
        #0 0x7efe5f2b9525 in intra_border_computer<unsigned char>::fill_from_image() /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552
        #1 0x7efe5f2ba6e9 in void fill_border_samples<unsigned char>(de265_image*, int, int, int, int, unsigned char*) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:260
        #2 0x7efe5f2ba6e9 in void decode_intra_prediction_internal<unsigned char>(de265_image*, int, int, IntraPredMode, unsigned char*, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:284
        #3 0x7efe5f2a5383 in decode_intra_prediction(de265_image*, int, int, IntraPredMode, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.cc:335
        #4 0x7efe5f31dc52 in decode_TU /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3453
        #5 0x7efe5f342e76 in read_transform_unit(thread_context*, int, int, int, int, int, int, int, int, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3665
        #6 0x7efe5f347191 in read_transform_tree(thread_context*, int, int, int, int, int, int, int, int, int, int, int, PredMode, unsigned char, unsigned char) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:3942
        #7 0x7efe5f34e119 in read_coding_unit(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4575
        #8 0x7efe5f3548f2 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4652
        #9 0x7efe5f354357 in read_coding_quadtree(thread_context*, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4635
        #10 0x7efe5f356564 in decode_substream(thread_context*, bool, bool) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:4741
        #11 0x7efe5f358ddb in read_slice_segment_data(thread_context*) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:5054
        #12 0x7efe5f23dd75 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:843
        #13 0x7efe5f240c0f in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:945
        #14 0x7efe5f241715 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:730
        #15 0x7efe5f24695e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
        #16 0x55990c1348fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #17 0x7efe5ed950b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #18 0x55990c13776d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    0x625000007e04 is located 1284 bytes inside of 8600-byte region [0x625000007900,0x625000009a98)
    freed by thread T0 here:
        #0 0x7efe5f6408df in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.5+0x1108df)
        #1 0x7efe5f24b576 in std::_Sp_counted_ptr_inplace<pic_parameter_set, std::allocator<pic_parameter_set>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/9/ext/new_allocator.h:128
        #2 0x7efe5f4d996f  (/home/dh/sda3/libde265-master/libde265-master/build/libde265/liblibde265.so+0x37d96f)
    
    previously allocated by thread T0 here:
        #0 0x7efe5f63f947 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.5+0x10f947)
        #1 0x7efe5f22cf3f in std::shared_ptr<pic_parameter_set> std::make_shared<pic_parameter_set>() /usr/include/c++/9/ext/new_allocator.h:114
        #2 0x7efe5f22cf3f in decoder_context::read_pps_NAL(bitreader&) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:572
        #3 0x7efe5b1ff7ff  (<unknown module>)
        #4 0x614fffffffff  (<unknown module>)
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/dh/sda3/libde265-master/libde265-master/libde265/intrapred.h:552 in intra_border_computer<unsigned char>::fill_from_image()
    Shadow bytes around the buggy address:
      0x0c4a7fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c4a7fff8fc0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff8ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1538158==ABORTING

CVE-2021-36408: Heap-use-after-free in intrapred.h when decoding file · Issue #299 · strukturag/libde265

An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc.

Hello,  
A SEGV has occurred when running program dec265，  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (1).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265(without asan)

Output

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    Segmentation fault(core dumped)
    
    

AddressSanitizer output

    =================================================================
    ==1960598==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8000 (pc 0x7f65de25eac3 bp 0x61b000001c80 sp 0x7ffe41764b90 T0)
    ==1960598==The signal is caused by a READ memory access.
        #0 0x7f65de25eac2 in slice_segment_header::read(bitreader*, decoder_context*, bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:390
        #1 0x7f65de14837a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:626
        #2 0x7f65de14a839 in decoder_context::decode_NAL(NAL_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1230
        #3 0x7f65de14be1e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1318
        #4 0x55d4ecf488fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #5 0x7f65ddc9a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #6 0x55d4ecf4b76d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:390 in slice_segment_header::read(bitreader*, decoder_context*, bool*)
    ==1960598==ABORTING
    
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0xffffffffffffff90 
    RCX: 0x617000000090 --> 0x100000000 --> 0x0 
    RDX: 0xc2e00000013 --> 0x0 
    RSI: 0x20000000 ('')
    RDI: 0x617000000098 --> 0x100000001 --> 0x0 
    RBP: 0x61b000001c80 --> 0xbebebebe00000000 
    RSP: 0x7fffffff3570 --> 0x0 
    RIP: 0x7ffff73abac3 (<slice_segment_header::read(bitreader*, decoder_context*, bool*)+2387>:	movzx  r14d,BYTE PTR [rsi+0x7fff8000])
    R8 : 0xfffff8f8 --> 0x0 
    R9 : 0x7 
    R10: 0x9 ('\t')
    R11: 0xfffffffe6c8 --> 0x0 
    R12: 0x7ffff31ff800 --> 0xbebebebebebebebe 
    R13: 0x7fffffff3a40 --> 0x62e000078405 --> 0xbebebebebebebebe 
    R14: 0xffffe641bdb --> 0x0 
    R15: 0x555555569bd0 --> 0x7ffff31ff800 --> 0xbebebebebebebebe
    EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff73abab6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2374>:	mov    rsi,QWORD PTR [rcx+0x8]
       0x7ffff73ababa <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2378>:	mov    QWORD PTR [rsp+0x10],rsi
       0x7ffff73ababf <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2383>:	shr    rsi,0x3
    => 0x7ffff73abac3 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2387>:	movzx  r14d,BYTE PTR [rsi+0x7fff8000]
       0x7ffff73abacb <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2395>:	test   r14b,r14b
       0x7ffff73abace <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2398>:	
        je     0x7ffff73abad6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2406>:	    je     0x7ffff73abad6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2406>
       0x7ffff73abad0 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2400>:	
        jle    0x7ffff73b31dc <slice_segment_header::read(bitreader*, decoder_context*, bool*)+32876>:	    jle    0x7ffff73b31dc <slice_segment_header::read(bitreader*, decoder_context*, bool*)+32876>
       0x7ffff73abad6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2406>:	mov    rax,QWORD PTR [rsp+0x10]
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff3570 --> 0x0 
    0008| 0x7fffffff3578 --> 0x621000000100 --> 0x7ffff7565f30 --> 0x7ffff72719e0 (<decoder_context::~decoder_context()>:	endbr64)
    0016| 0x7fffffff3580 --> 0x100000001 --> 0x0 
    0024| 0x7fffffff3588 --> 0x61b000001c88 --> 0x617000000090 --> 0x100000000 --> 0x0 
    0032| 0x7fffffff3590 --> 0x7fffffff3780 --> 0x0 
    0040| 0x7fffffff3598 --> 0x7fffffff3620 --> 0x41b58ab3 
    0048| 0x7fffffff35a0 --> 0x61b000001ca0 --> 0xbebebe00 --> 0x0 
    0056| 0x7fffffff35a8 --> 0xfffffffe6c4 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff73abac3 in slice_segment_header::read (
        this=this@entry=0x61b000001c80, br=br@entry=0x7fffffff3a40, 
        ctx=ctx@entry=0x621000000100, 
        continueDecoding=continueDecoding@entry=0x7fffffff3780)
        at /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:390
    390	  if (!sps->sps_read) {
    
    

**This issue will cause Denial of Service attacks**

Tag

#ubuntu