libde265 icon indicating copy to clipboard operation
libde265 copied to clipboard
verified publisher icon strukturag

Heap Buffer Overflow in sao.cc

Open swirsz opened this issue 4 years ago • 1 comments

Asan is showing a heap buffer overflow error

Platform: Ubuntu 20.04 Source compiled: November 13, 2021

poc.zip

================================================================= ==4025910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130000063b0 at pc 0x000001cc74cf bp 0x7f96cd3f7990 sp 0x7f96cd3f7988 READ of size 1 at 0x6130000063b0 thread T2 #0 0x1cc74ce in void apply_sao_internal(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int) /src/libde265/libde265/sao.cc:252:28 #1 0x1cc2da4 in apply_sao /src/libde265/libde265/sao.cc:270:5 #2 0x1cc2da4 in thread_task_sao::work() /src/libde265/libde265/sao.cc:441:9 #3 0x1cfb81d in worker_thread(void*) /src/libde265/libde265/threads.cc:233:11 #4 0x7f96d0cd4608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8 #5 0x7f96d0bfb292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Address 0x6130000063b0 is a wild pointer inside of access range of size 0x000000000001. SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libde265/libde265/sao.cc:252:28 in void apply_sao_internal(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int) Shadow bytes around the buggy address: 0x0c267fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c267fff8c70: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x0c267fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Thread T2 created by T0 here: #0 0x510c8c in pthread_create /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:207:3 #1 0x1cfb3c1 in de265_thread_create /src/libde265/libde265/threads.cc:41:96 #2 0x1cfb3c1 in start_thread_pool(thread_pool*, int) /src/libde265/libde265/threads.cc:271:15 #3 0x1c73f43 in decoder_context::start_thread_pool(int) /src/libde265/libde265/decctx.cc:346:3 #4 0x1c6f726 in de265_start_worker_threads /src/libde265/libde265/de265.cc:264:28 #5 0x6ba656 in libde265_new_decoder(void**) /src/libheif/libheif/heif_decoder_libde265.cc:173:3 #6 0x63beb9 in heif::HeifContext::decode_image_planar(unsigned int, std::__1::shared_ptrheif::HeifPixelImage&, heif_colorspace, heif_decoding_options const*, bool) const /src/libheif/libheif/heif_context.cc:1086:29 #7 0x63a495 in heif::HeifContext::decode_image_user(unsigned int, std::__1::shared_ptrheif::HeifPixelImage&, heif_colorspace, heif_chroma, heif_decoding_options const*) const /src/libheif/libheif/heif_context.cc:1014:15 #8 0x60c15f in heif_decode_image /src/libheif/libheif/heif.cc:917:35 #9 0x6c76bd in TestDecodeImage(heif_context*, heif_image_handle const*, unsigned long) /src/libheif/libheif/file_fuzzer.cc:61:9 #10 0x6c6f97 in LLVMFuzzerTestOneInput /src/libheif/libheif/file_fuzzer.cc:102:5 #11 0x4583c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp #12 0x443cd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6 #13 0x44979a in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) cxa_noexception.cpp #14 0x4726c2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #15 0x7f96d0b000b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

==4025910==ABORTING

swirsz avatar Nov 18 '21 17:11 swirsz

I was not able to reproduce this on Ubuntu 16.04 and 22.04. If anyone manages to reproduce this at any libde265 version, please let me know the exact setup.

farindk avatar Jan 27 '23 12:01 farindk