Red Hat Security Advisory 2021-3759-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.

Red Hat Security Advisory 2021-3759-01

Red Hat Security Advisory 2021-3758-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.0. Issues addressed include memory exhaustion and use-after-free vulnerabilities.

Red Hat Security Advisory 2021-3758-01

An issue was discovered in fig2dev before 3.2.8.. A NULL pointer dereference exists in the function compute_closed_spline() located in trans_spline.c. It allows an attacker to cause Denial of Service. The fixed version of fig2dev is 3.2.8.

**System info**

Ubuntu x86\_64, clang 6.0, fig2dev (latest master 3a578b)

**Configure**

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure

**Command line**

./fig2dev/fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**AddressSanitizer output**

AddressSanitizer:DEADLYSIGNAL
\=================================================================
\==52196\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x00000054d8d6 bp 0x0ff24e6480f7 sp 0x7ffd3a3d31a0 T0)
\==52196\==The signal is caused by a READ memory access.
\==52196\==Hint: address points to the zero page.
    #0 0x54d8d5 in compute\_closed\_spline /home/seviezhou/fig2dev/fig2dev/trans\_spline.c
    #1 0x54e1b8 in create\_line\_with\_spline /home/seviezhou/fig2dev/fig2dev/trans\_spline.c:495:29
    #2 0x541fb7 in read\_splineobject /home/seviezhou/fig2dev/fig2dev/read.c:1360:10
    #3 0x538e22 in read\_objects /home/seviezhou/fig2dev/fig2dev/read.c:419:16
    #4 0x538e22 in readfp\_fig /home/seviezhou/fig2dev/fig2dev/read.c:151
    #5 0x5369eb in read\_fig /home/seviezhou/fig2dev/fig2dev/read.c:123:10
    #6 0x52c27e in main /home/seviezhou/fig2dev/fig2dev/fig2dev.c:423:12
    #7 0x7f92718bfb96 in \_\_libc\_start\_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc\-start.c:310
    #8 0x41b6f9 in \_start (/home/seviezhou/fig2dev/fig2dev/fig2dev+0x41b6f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/seviezhou/fig2dev/fig2dev/trans\_spline.c in compute\_closed\_spline
\==52196\==ABORTING

CVE-2021-32280: Xfig / Tickets / #107 A Segmentation fault in trans_spline.c

An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow.

Dear Developers,  
I found a heap-buffer-overflow in captoinfo.c:321:12, detailed system information and build configuration is as follows, the poc is in the mail attachment.

\## System info

Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), ncurses (latest master label v6\_2\_20200801)

\## Configure

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure --enable-static

\## Command line

./progs/tic -o /tmp @@

\## AddressSanitizer output

\`\`\`  
\=================================================================  
\==18977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000002500 at pc 0x000000570883 bp 0x7ffd25a79bd0 sp 0x7ffd25a79bc8  
READ of size 1 at 0x621000002500 thread T0  
    #0 0x570882 in \_nc\_captoinfo /home/seviezhou/ncurses/ncurses/../ncurses/./tinfo/captoinfo.c:321:12  
    #1 0x588e16 in \_nc\_parse\_entry /home/seviezhou/ncurses/ncurses/../ncurses/./tinfo/parse\_entry.c:548:13  
    #2 0x57c076 in \_nc\_read\_entry\_source /home/seviezhou/ncurses/ncurses/../ncurses/./tinfo/comp\_parse.c:226:6  
    #3 0x517a0d in main /home/seviezhou/ncurses/progs/../progs/tic.c:963:5  
    #4 0x7f424829183f in \_\_libc\_start\_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291  
    #5 0x41a9f8 in \_start (/home/seviezhou/ncurses/progs/tic+0x41a9f8)

0x621000002500 is located 0 bytes to the right of 4096-byte region \[0x621000001500,0x621000002500)  
allocated by thread T0 here:  
    #0 0x4dec08 in \_\_interceptor\_malloc /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan\_malloc\_linux.cc:88  
    #1 0x580f32 in \_nc\_get\_token /home/seviezhou/ncurses/ncurses/../ncurses/./tinfo/comp\_scan.c:448:16  
    #2 0x586031 in \_nc\_parse\_entry /home/seviezhou/ncurses/ncurses/../ncurses/./tinfo/parse\_entry.c:265:18  
    #3 0x57c076 in \_nc\_read\_entry\_source /home/seviezhou/ncurses/ncurses/../ncurses/./tinfo/comp\_parse.c:226:6  
    #4 0x517a0d in main /home/seviezhou/ncurses/progs/../progs/tic.c:963:5  
    #5 0x7f424829183f in \_\_libc\_start\_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/ncurses/ncurses/../ncurses/./tinfo/captoinfo.c:321:12 in \_nc\_captoinfo  
Shadow bytes around the buggy address:  
  0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
  0x0c427fff8490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c427fff84a0:\[fa\]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
  0x0c427fff84f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
  Addressable:           00  
  Partially addressable: 01 02 03 04 05 06 07  
  Heap left redzone:       fa  
  Freed heap region:       fd  
  Stack left redzone:      f1  
  Stack mid redzone:       f2  
  Stack right redzone:     f3  
  Stack after return:      f5  
  Stack use after scope:   f8  
  Global redzone:          f9  
  Global init order:       f6  
  Poisoned by user:        f7  
  Container overflow:      fc  
  Array cookie:            ac  
  Intra object redzone:    bb  
  ASan internal:           fe  
  Left alloca redzone:     ca  
  Right alloca redzone:    cb  
\==18977==ABORTING  
\`\`\`

CVE-2021-39537: A heap-buffer-overflow in captoinfo.c:321:12

An issue was discovered in gpac through 20200801. A NULL pointer dereference exists in the function ilst_item_box_dump located in box_dump.c. It allows an attacker to cause Denial of Service.

**System info**

Ubuntu x86\_64, gcc (Ubuntu 5.5.0-12ubuntu1), MP4Box (latest master 2aa266)

**Configure**

CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" ./configure --static-mp4box

**Command line**

./bin/gcc/MP4Box -diso -out /dev/null @@

**AddressSanitizer output**

    ASAN:SIGSEGV
    =================================================================
    ==77583==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x555d67a9030a bp 0x61600000cf80 sp 0x7ffc245f5240 T0)
        #0 0x555d67a90309 in ilst_item_box_dump isomedia/box_dump.c:3641
        #1 0x555d67ac2749 in gf_isom_box_dump isomedia/box_funcs.c:1923
        #2 0x555d67a6caba in gf_isom_dump isomedia/box_dump.c:135
        #3 0x555d67449ce9 in dump_isom_xml /home/seviezhou/gpac/applications/mp4box/filedump.c:1670
        #4 0x555d6741afa4 in mp4boxMain /home/seviezhou/gpac/applications/mp4box/main.c:5548
        #5 0x7fe303b6bb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #6 0x555d673f8f09 in _start (/home/seviezhou/gpac/bin/gcc/MP4Box+0x27ff09)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/box_dump.c:3641 ilst_item_box_dump
    ==77583==ABORTING
    

**POC**

SEGV-ilst\_item\_box\_dump-box\_dump-3641.zip

CVE-2021-32269: A Segmentation fault in box_dump.c:3641 · Issue #1574 · gpac/gpac

libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fallback function, which can be exploited via a crafted a file.

**heap-buffer-overflow in put\_epel\_hv\_fallback when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# /opt/asan/bin/dec265 libde265-put_epel_hv_fallback-heap_overflow.crash
    WARNING: pps header invalid
    =================================================================
    ==51241==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00001c3b8 at pc 0x0000004354cc bp 0x7fffea7fb3d0 sp 0x7fffea7fb3c0
    READ of size 2 at 0x62f00001c3b8 thread T0
        #0 0x4354cb in void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int) /root/src/libde265/libde265/fallback-motion.cc:348
        #1 0x52c1cc in acceleration_functions::put_hevc_epel_v(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:318
        #2 0x52ebed in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:264
        #3 0x51fb8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:390
        #4 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #5 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #6 0x47a7d3 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4496
        #7 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #8 0x47b53f in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4630
        #9 0x47b5ac in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4633
        #10 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #11 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #12 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #13 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #14 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #15 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #16 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #17 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #18 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #19 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #20 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #21 0x7f5bb73aa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #22 0x402b28 in _start (/opt/asan/bin/dec265+0x402b28)
    
    0x62f00001c3b8 is located 72 bytes to the left of 50704-byte region [0x62f00001c400,0x62f000028a10)
    allocated by thread T0 here:
        #0 0x7f5bb82ab076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f5bb73aa82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:348 void put_epel_hv_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, int, int, short*, int)
    Shadow bytes around the buggy address:
      0x0c5e7fffb820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fffb830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fffb840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fffb850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5e7fffb860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c5e7fffb870: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c5e7fffb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fffb890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fffb8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fffb8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5e7fffb8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==51241==ABORTING
    

**POC file**

libde265-put\_epel\_hv\_fallback-heap\_overflow.zip  
libde265-put\_epel\_hv\_fallback-heap\_overflow2.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21594: heap-buffer-overflow in put_epel_hv_fallback when decoding file · Issue #233 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unweighted_pred_8_sse function, which can be exploited via a crafted a file.

**heap-buffer-overflow in ff\_hevc\_put\_unweighted\_pred\_8\_sse when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-ff_hevc_put_unweighted_pred_8_sse-heap_overflow.crash
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    =================================================================
    ==69912==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00000fc30 at pc 0x0000004cc8bf bp 0x7ffc1997ee70 sp 0x7ffc1997ee60
    WRITE of size 4 at 0x61e00000fc30 thread T0
        #0 0x4cc8be in ff_hevc_put_unweighted_pred_8_sse(unsigned char*, long, short const*, long, int, int) /root/src/libde265/libde265/x86/sse-motion.cc:149
        #1 0x52bc86 in acceleration_functions::put_unweighted_pred(void*, long, short const*, long, int, int, int) const ../libde265/acceleration.h:260
        #2 0x521301 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:578
        #3 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #4 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #5 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #6 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #7 0x47b611 in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4636
        #8 0x47b53f in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4630
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7f931534a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/root/dec265+0x402b28)
    
    AddressSanitizer can not describe address in more detail (wild memory access suspected).
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/x86/sse-motion.cc:149 ff_hevc_put_unweighted_pred_8_sse(unsigned char*, long, short const*, long, int, int)
    Shadow bytes around the buggy address:
      0x0c3c7fff9f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c7fff9f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c7fff9f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c7fff9f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c3c7fff9f70: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c3c7fff9f80: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c3c7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3c7fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==69912==ABORTING
    

**POC file**

libde265-ff\_hevc\_put\_unweighted\_pred\_8\_sse-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21598: heap-buffer-overflow in ff_hevc_put_unweighted_pred_8_sse when decoding file · Issue #237 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_16_fallback function, which can be exploited via a crafted a file.

CVE-2020-21606: heap-buffer-overflow in put_epel_16_fallback when decoding file · Issue #232 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma function, which can be exploited via a crafted a file.

**heap-buffer-overflow in mc\_chroma when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-mc_chroma-heap_overflow.crash
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: faulty reference picture list
    WARNING: slice segment address invalid
    WARNING: faulty reference picture list
    =================================================================
    ==78714==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001bf10 at pc 0x00000052e002 bp 0x7ffc932b5930 sp 0x7ffc932b5920
    READ of size 2 at 0x61b00001bf10 thread T0
        #0 0x52e001 in void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:244
        #1 0x51f88a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:382
        #2 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #3 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #4 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #5 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #6 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #7 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #8 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #9 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #10 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #11 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #12 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #13 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #14 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #15 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #16 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #17 0x7f97d894282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #18 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x61b00001bf10 is located 0 bytes to the right of 1424-byte region [0x61b00001b980,0x61b00001bf10)
    allocated by thread T0 here:
        #0 0x7f97d9843076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f97d894282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/motion.cc:244 void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int)
    Shadow bytes around the buggy address:
      0x0c367fffb790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c367fffb7e0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fffb7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fffb800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c367fffb810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c367fffb830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==78714==ABORTING
    

**POC file**

libde265-mc\_chroma-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21597: heap-buffer-overflow in mc_chroma when decoding file · Issue #238 · strukturag/libde265

libde265 v1.0.4 contains a segmentation fault in the apply_sao_internal function, which can be exploited via a crafted a file.

**segment fault in apply\_sao\_internal when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-apply_sao_internal-segment.crash
    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: pps header invalid
    ASAN:SIGSEGV
    =================================================================
    ==34516==ERROR: AddressSanitizer: SEGV on unknown address 0x62c02b4f5c83 (pc 0x00000045b20d bp 0x7ffc86181280 sp 0x7ffc86180f90 T0)
        #0 0x45b20c in void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int) /root/src/libde265/libde265/sao.cc:252
        #1 0x45973e in void apply_sao<unsigned char>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned char const*, int, unsigned char*, int) /root/src/libde265/libde265/sao.cc:270
        #2 0x457778 in apply_sample_adaptive_offset_sequential(de265_image*) /root/src/libde265/libde265/sao.cc:361
        #3 0x413beb in decoder_context::run_postprocessing_filters_sequential(de265_image*) /root/src/libde265/libde265/decctx.cc:1889
        #4 0x40b849 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:769
        #5 0x40e23e in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1329
        #6 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #7 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #8 0x7f71b014282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #9 0x402b28 in _start (/root/dec265+0x402b28)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /root/src/libde265/libde265/sao.cc:252 void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int)
    ==34516==ABORTING
    

**POC file**

libde265-apply\_sao\_internal-segment.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

Tag

#ubuntu