libde265
libde265 copied to clipboard
strukturag
heap-buffer-overflow of decctx.cc in function read_sps_NAL
Hi
I found an crash err.
System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Dec265 v1.0.8
commit: 900772c3e9ee1e106b93283fd8e7633d52899e40
Verification steps: 1.Get the source code of Bento4 2.Compile the Bento4
$ ./autogen.sh
$ export CFLAGS="-g -lpthread -fsanitize=address"
$ export CXXFLAGS="-g -lpthread -fsanitize=address"
$ CC=clang CXX=clang++ ./configure --disable-shared
$ make -j 32
3.run
$./dec265 poc
asan info
SPS error: transform hierarchy depth (intra) > CTB size - min TB size
=================================================================
==1547836==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009488 at pc 0x0000005bb5df bp 0x7ffe2e473810 sp 0x7ffe2e473808
WRITE of size 1 at 0x629000009488 thread T0
#0 0x5bb5de in video_usability_information::hrd_parameters(error_queue*, bitreader*, seq_parameter_set const*) /home/hh/Downloads/libde265/libde265/vui.cc:221:36
#1 0x5bd5d4 in video_usability_information::read(error_queue*, bitreader*, seq_parameter_set const*) /home/hh/Downloads/libde265/libde265/vui.cc:363:13
#2 0x593b9d in seq_parameter_set::read(error_queue*, bitreader*) /home/hh/Downloads/libde265/libde265/sps.cc:438:9
#3 0x4d164d in decoder_context::read_sps_NAL(bitreader&) /home/hh/Downloads/libde265/libde265/decctx.cc:555:21
#4 0x4d914b in decoder_context::decode_NAL(NAL_unit*) /home/hh/Downloads/libde265/libde265/decctx.cc:1239:13
#5 0x4d99fb in decoder_context::decode(int*) /home/hh/Downloads/libde265/libde265/decctx.cc:1318:16
#6 0x4ca844 in de265_decode /home/hh/Downloads/libde265/libde265/de265.cc:352:15
#7 0x4c8ff4 in main /home/hh/Downloads/libde265/dec265/dec265.cc:764:17
#8 0x7fca1ada90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41c52d in _start (/home/hh/Downloads/libde265/dec265/dec265+0x41c52d)
0x629000009488 is located 0 bytes to the right of 17032-byte region [0x629000005200,0x629000009488)
allocated by thread T0 here:
#0 0x4c43dd in operator new(unsigned long) (/home/hh/Downloads/libde265/dec265/dec265+0x4c43dd)
#1 0x4f5ae8 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<seq_parameter_set, std::allocator<seq_parameter_set>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/ext/new_allocator.h:114:27
#2 0x4f59f3 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<seq_parameter_set, std::allocator<seq_parameter_set>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<seq_parameter_set, std::allocator<seq_parameter_set>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/alloc_traits.h:444:20
#3 0x4f5559 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<seq_parameter_set, std::allocator<seq_parameter_set>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<seq_parameter_set, std::allocator<seq_parameter_set>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<seq_parameter_set, std::allocator<seq_parameter_set>, (__gnu_cxx::_Lock_policy)2> >&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/allocated_ptr.h:97:21
#4 0x4f528d in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<seq_parameter_set, std::allocator<seq_parameter_set> >(seq_parameter_set*&, std::_Sp_alloc_shared_tag<std::allocator<seq_parameter_set> >) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:677:19
#5 0x4f5044 in std::__shared_ptr<seq_parameter_set, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<seq_parameter_set> >(std::_Sp_alloc_shared_tag<std::allocator<seq_parameter_set> >) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr_base.h:1344:14
#6 0x4f4e37 in std::shared_ptr<seq_parameter_set>::shared_ptr<std::allocator<seq_parameter_set> >(std::_Sp_alloc_shared_tag<std::allocator<seq_parameter_set> >) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr.h:359:4
#7 0x4f4c31 in std::shared_ptr<seq_parameter_set> std::allocate_shared<seq_parameter_set, std::allocator<seq_parameter_set> >(std::allocator<seq_parameter_set> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr.h:701:14
#8 0x4e4117 in std::shared_ptr<seq_parameter_set> std::make_shared<seq_parameter_set>() /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/bits/shared_ptr.h:717:14
#9 0x4d162a in decoder_context::read_sps_NAL(bitreader&) /home/hh/Downloads/libde265/libde265/decctx.cc:552:48
#10 0x4d914b in decoder_context::decode_NAL(NAL_unit*) /home/hh/Downloads/libde265/libde265/decctx.cc:1239:13
#11 0x4d99fb in decoder_context::decode(int*) /home/hh/Downloads/libde265/libde265/decctx.cc:1318:16
#12 0x4ca844 in de265_decode /home/hh/Downloads/libde265/libde265/de265.cc:352:15
#13 0x4c8ff4 in main /home/hh/Downloads/libde265/dec265/dec265.cc:764:17
#14 0x7fca1ada90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hh/Downloads/libde265/libde265/vui.cc:221:36 in video_usability_information::hrd_parameters(error_queue*, bitreader*, seq_parameter_set const*)
Shadow bytes around the buggy address:
0x0c527fff9240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff9280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff9290: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1547836==ABORTING
gdb info
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
SPS error: transform hierarchy depth (intra) > CTB size - min TB size
SPS error: transform hierarchy depth (intra) > CTB size - min TB size
double free or corruption (out)
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff7a51740 (0x00007ffff7a51740)
RCX: 0x7ffff7a9c18b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffff38d0 --> 0x0
RDI: 0x2
RBP: 0x7fffffff3c20 --> 0x7ffff7c41b80 --> 0x0
RSP: 0x7fffffff38d0 --> 0x0
RIP: 0x7ffff7a9c18b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffff38d0 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7fffffff3b40 --> 0x0
R13: 0x10
R14: 0x7ffff7ffb000 --> 0x62756f6400001000
R15: 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7a9c17f <__GI_raise+191>: mov edi,0x2
0x7ffff7a9c184 <__GI_raise+196>: mov eax,0xe
0x7ffff7a9c189 <__GI_raise+201>: syscall
=> 0x7ffff7a9c18b <__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108]
0x7ffff7a9c193 <__GI_raise+211>: xor rax,QWORD PTR fs:0x28
0x7ffff7a9c19c <__GI_raise+220>: jne 0x7ffff7a9c1c4 <__GI_raise+260>
0x7ffff7a9c19e <__GI_raise+222>: mov eax,r8d
0x7ffff7a9c1a1 <__GI_raise+225>: add rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff38d0 --> 0x0
0008| 0x7fffffff38d8 --> 0x5c16e0 --> 0x0
0016| 0x7fffffff38e0 --> 0x5c16e0 --> 0x0
0024| 0x7fffffff38e8 --> 0x46 ('F')
0032| 0x7fffffff38f0 --> 0x46 ('F')
0040| 0x7fffffff38f8 --> 0x7ffff7ffe190 --> 0x0
0048| 0x7fffffff3900 --> 0xff00ff
0056| 0x7fffffff3908 --> 0x7ffff7fb7b00 --> 0x400f82 ("GLIBC_2.2.5")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
Thank you. Has been fixed with 8e89fe0e175d2870c39486fdd09250b230ec10b8. Please confirm.
