libde265
libde265 copied to clipboard
strukturag
heap-buffer-overflow in setCtbAddrFromTS when decoding file
heap-buffer-overflow in setCtbAddrFromTS when decoding file
I found some problems during fuzzing
Test Version
dev version, git clone https://github.com/strukturag/libde265
Test Environment
root@ubuntu:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.6 LTS Release: 16.04 Codename: xenial
root@ubuntu:~# uname -a Linux ubuntu 4.15.0-45-generic #48~16.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Test Configure
./configure configure: --------------------------------------- configure: Building dec265 example: yes configure: Building sherlock265 example: no configure: Building encoder: yes configure: ---------------------------------------
Test Program
dec265 [infile]
Asan Output
root@ubuntu:~/afl/libde265/out# /opt/asan/bin/dec265 libde265-setCtbAddrFromTS-heap_overflow.crash
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: pps header invalid
WARNING: pps header invalid
WARNING: non-existing PPS referenced
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: pps header invalid
WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: CTB outside of image area (concealing stream error...)
WARNING: slice header invalid
WARNING: pps header invalid
WARNING: invalid chroma format in SPS header
WARNING: CTB outside of image area (concealing stream error...)
WARNING: coded parameter out of range
WARNING: non-existing PPS referenced
=================================================================
==32217==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c1bc at pc 0x000000471e20 bp 0x7ffd8560e150 sp 0x7ffd8560e140
READ of size 4 at 0x60400000c1bc thread T0
#0 0x471e1f in setCtbAddrFromTS(thread_context*) /root/src/libde265/libde265/slice.cc:2671
#1 0x47211a in advanceCtbAddr(thread_context*) /root/src/libde265/libde265/slice.cc:2691
#2 0x47c2a2 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4782
#3 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
#4 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
#5 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
#6 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
#7 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
#8 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
#9 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
#10 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
#11 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
#12 0x7fb91741082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x402b28 in _start (/opt/asan/bin/dec265+0x402b28)
0x60400000c1bc is located 0 bytes to the right of 44-byte region [0x60400000c190,0x60400000c1bc)
allocated by thread T0 here:
#0 0x7fb918311532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x42447e in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
#2 0x422d9c in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
#3 0x420d4f in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
#4 0x455ef8 in std::vector<int, std::allocator<int> >::_M_default_append(unsigned long) /usr/include/c++/5/bits/vector.tcc:557
#5 0x455c0c in std::vector<int, std::allocator<int> >::resize(unsigned long) /usr/include/c++/5/bits/stl_vector.h:676
#6 0x451460 in pic_parameter_set::set_derived_values(seq_parameter_set const*) /root/src/libde265/libde265/pps.cc:586
#7 0x450649 in pic_parameter_set::read(bitreader*, decoder_context*) /root/src/libde265/libde265/pps.cc:528
#8 0x40a562 in decoder_context::read_pps_NAL(bitreader&) /root/src/libde265/libde265/decctx.cc:574
#9 0x40dc78 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1244
#10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
#11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
#12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
#13 0x7fb91741082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/slice.cc:2671 setCtbAddrFromTS(thread_context*)
Shadow bytes around the buggy address:
0x0c087fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9820: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04
=>0x0c087fff9830: fa fa 00 00 00 00 00[04]fa fa 00 00 00 00 00 04
0x0c087fff9840: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04
0x0c087fff9850: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04
0x0c087fff9860: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9870: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c087fff9880: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==32217==ABORTING
POC file
libde265-setCtbAddrFromTS-heap_overflow.zip password: leon.zhao.7
CREDIT
Zhao Liang, Huawei Weiran Labs [email protected]
The issue apparently is fixed in the current tip (6751f4e3c8c7af63d0036fedd506b7932630773c). I didn't search for the exact commit.
