SEGV:occured in function main at dec265.cc:813

[MandaCai]

Desctiption

A SEGV has occurred when running program dec265
NULL Pointer Dereference in function main at dec265.cc:813

Version

dec265  v1.0.12

git log --oneline -1
a267c847 (HEAD -> master, tag: v1.0.12, origin/master, origin/HEAD) increase version to v1.0.12

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 -m -T poc

#total    -nan   -nan   -nan   -nan
AddressSanitizer:DEADLYSIGNAL
=================================================================
==7045==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fdb3ddc23ab bp 0x000000000000 sp 0x7ffdde83e260 T0)
==7045==The signal is caused by a READ memory access.
==7045==Hint: address points to the zero page.
    #0 0x7fdb3ddc23ab in fclose (/lib/x86_64-linux-gnu/libc.so.6+0x7e3ab)
    #1 0x7fdb3e364e98 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6243
    #2 0x7fdb3e364e98 in __interceptor_fclose ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:6238
    #3 0x56339e775292 in main /home/freec/fuzz_normal/libde265/dec265/dec265.cc:813
    #4 0x7fdb3dd6c564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)
    #5 0x56339e772ccd in _start (/home/freec/fuzz_normal/libde265/dec265/dec265+0x1accd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x7e3ab) in fclose
==7045==ABORTING

POC

poc1.zip

GDB INFO

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
#total    -nan   -nan   -nan   -nan
[----------------------------------registers-----------------------------------]
RAX: 0x24 ('$')
RBX: 0x1 
RCX: 0x1 
RDX: 0x0 
RSI: 0x0 
RDI: 0x7fffffff3910 --> 0x7ffff7b88010 (<__funlockfile>:	endbr64)
RBP: 0x55555556fae0 --> 0x7ffff7fba588 --> 0x7ffff7f635b0 (<_ZN15decoder_contextD2Ev>:	endbr64)
RSP: 0x7fffffff3e70 --> 0xfff8000000000000 
RIP: 0x555555556cf1 (<main(int, char**)+1969>:	)
R8 : 0x0 
R9 : 0x0 
R10: 0x7ffff7ccc040 --> 0x0 
R11: 0x246 
R12: 0x7fffffff3ea0 --> 0x0 
R13: 0x555555558083 ("WARNING: %s\n")
R14: 0x5555555714a0 --> 0x555555571 
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555556ce2 <main(int, char**)+1954>:	mov    edi,0x1
   0x555555556ce7 <main(int, char**)+1959>:	mov    eax,0x4
   0x555555556cec <main(int, char**)+1964>:	call   0x5555555562c0
=> 0x555555556cf1 <main(int, char**)+1969>:	
    mov    rdi,QWORD PTR [rip+0x3648]        # 0x55555555a340 <reference_file>
   0x555555556cf8 <main(int, char**)+1976>:	call   0x555555556390
   0x555555556cfd <main(int, char**)+1981>:	
    mov    r10d,DWORD PTR [rsp+0x1c]
   0x555555556d02 <main(int, char**)+1986>:	
    jmp    0x555555556a4b <main(int, char**)+1291>
   0x555555556d07 <main(int, char**)+1991>:	mov    rdi,QWORD PTR [rsp+0x10]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff3e70 --> 0xfff8000000000000 
0008| 0x7fffffff3e78 --> 0xfff8000000000000 
0016| 0x7fffffff3e80 --> 0xfff8000000000000 
0024| 0x7fffffff3e88 --> 0x0 
0032| 0x7fffffff3e90 --> 0x6497f1f0 
0040| 0x7fffffff3e98 --> 0x767d0 
0048| 0x7fffffff3ea0 --> 0x0 
0056| 0x7fffffff3ea8 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, main (argc=argc@entry=0x4, argv=argv@entry=0x7fffffffdff8)
    at dec265.cc:813
813	    fclose(reference_file);
gdb-peda$ p reference_file
$2 = (FILE *) 0x0

Impact

Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 813 of the code. This issue can cause a Denial of Service attack.

[farindk]

thank you