Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) #429

Closed
windwithshadow opened this issue Nov 15, 2023 · 1 comment
Closed

heap-buffer-overflow in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) #429

windwithshadow opened this issue Nov 15, 2023 · 1 comment

Comments

@windwithshadow
Copy link

description

heap-buffer-overflow in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)

version

$./dec265 -h
 dec265  v1.0.12
-----------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Replay

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc1

You'll need to try a few more times for this vulnerability to appear, usually within 20 times

ASAN

WARNING: non-existing PPS referenced
=================================================================
==1277113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000001438 at pc 0x7fc9f24d698a bp 0x7ffe70f26540 sp 0x7ffe70f26530
READ of size 4 at 0x61b000001438 thread T0
    #0 0x7fc9f24d6989 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) (/root/1115/libde265/build/libde265/libde265.so+0x19e989)
    #1 0x7fc9f24d9e58 in fill_luma_motion_vector_predictors(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, int, MotionVector*) (/root/1115/libde265/build/libde265/libde265.so+0x1a1e58)
    #2 0x7fc9f24da72b in luma_motion_vector_prediction(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1a272b)
    #3 0x7fc9f24db06d in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) (/root/1115/libde265/build/libde265/libde265.so+0x1a306d)
    #4 0x7fc9f24db3b8 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1a33b8)
    #5 0x7fc9f25186a4 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e06a4)
    #6 0x7fc9f251a286 in read_coding_unit(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2286)
    #7 0x7fc9f251b0d1 in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e30d1)
    #8 0x7fc9f251af7f in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2f7f)
    #9 0x7fc9f251afe4 in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2fe4)
    #10 0x7fc9f251afe4 in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2fe4)
    #11 0x7fc9f25126d1 in read_coding_tree_unit(thread_context*) (/root/1115/libde265/build/libde265/libde265.so+0x1da6d1)
    #12 0x7fc9f251b875 in decode_substream(thread_context*, bool, bool) (/root/1115/libde265/build/libde265/libde265.so+0x1e3875)
    #13 0x7fc9f251d5b0 in read_slice_segment_data(thread_context*) (/root/1115/libde265/build/libde265/libde265.so+0x1e55b0)
    #14 0x7fc9f2470156 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x138156)
    #15 0x7fc9f2470959 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x138959)
    #16 0x7fc9f246f5fd in decoder_context::decode_some(bool*) (/root/1115/libde265/build/libde265/libde265.so+0x1375fd)
    #17 0x7fc9f246f347 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/root/1115/libde265/build/libde265/libde265.so+0x137347)
    #18 0x7fc9f2471ea6 in decoder_context::decode_NAL(NAL_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x139ea6)
    #19 0x7fc9f2472503 in decoder_context::decode(int*) (/root/1115/libde265/build/libde265/libde265.so+0x13a503)
    #20 0x7fc9f2458630 in de265_decode (/root/1115/libde265/build/libde265/libde265.so+0x120630)
    #21 0x5568ea7e8a69 in main (/root/1115/libde265/build/dec265/dec265+0x7a69)
    #22 0x7fc9f1e1e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #23 0x5568ea7e67ed in _start (/root/1115/libde265/build/dec265/dec265+0x57ed)

0x61b000001438 is located 48 bytes to the right of 1416-byte region [0x61b000000e80,0x61b000001408)
allocated by thread T0 here:
    #0 0x7fc9f2778587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x7fc9f246e9b5 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/root/1115/libde265/build/libde265/libde265.so+0x1369b5)
    #2 0x7fc9f2471ea6 in decoder_context::decode_NAL(NAL_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x139ea6)
    #3 0x7fc9f2472503 in decoder_context::decode(int*) (/root/1115/libde265/build/libde265/libde265.so+0x13a503)
    #4 0x7fc9f2458630 in de265_decode (/root/1115/libde265/build/libde265/libde265.so+0x120630)
    #5 0x5568ea7e8a69 in main (/root/1115/libde265/build/dec265/dec265+0x7a69)
    #6 0x7fc9f1e1e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/1115/libde265/build/libde265/libde265.so+0x19e989) in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
Shadow bytes around the buggy address:
  0x0c367fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff8280: 00 fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c367fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1277113==ABORTING

POC

https://github.com/windwithshadow/poc/tree/main/libde265/poc1

Environment

Ubuntu 20.04.2
gcc 9.4.0
farindk added a commit that referenced this issue Nov 20, 2023
@farindk
fix access to non-existent reference picture (#429)
bf7f0f4
@farindk
Copy link
Contributor

farindk commented Nov 20, 2023

Thank you. Should be fixed with the above commit.

@farindk farindk closed this as completed Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@farindk @windwithshadow