Heap Buffer Overflow in sao.cc

[swirsz]

Asan is showing a heap buffer overflow error

Platform: Ubuntu 20.04 Source compiled: November 13, 2021

poc.zip

================================================================= ==4025910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130000063b0 at pc 0x000001cc74cf bp 0x7f96cd3f7990 sp 0x7f96cd3f7988 READ of size 1 at 0x6130000063b0 thread T2

0 0x1cc74ce in void apply_sao_internal(de265_image, int, int, slice_segment_header const, int, int, int, unsigned short const, int, unsigned short, int) /src/libde265/libde265/sao.cc:252:28

#1 0x1cc2da4 in apply_sao<unsigned char> /src/libde265/libde265/sao.cc:270:5
#2 0x1cc2da4 in thread_task_sao::work() /src/libde265/libde265/sao.cc:441:9
#3 0x1cfb81d in worker_thread(void*) /src/libde265/libde265/threads.cc:233:11
#4 0x7f96d0cd4608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#5 0x7f96d0bfb292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Address 0x6130000063b0 is a wild pointer inside of access range of size 0x000000000001. SUMMARY: AddressSanitizer: heap-buffer-overflow /src/libde265/libde265/sao.cc:252:28 in void apply_sao_internal(de265_image, int, int, slice_segment_header const, int, int, int, unsigned short const, int, unsigned short, int) Shadow bytes around the buggy address: 0x0c267fff8c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c267fff8c70: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x0c267fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Thread T2 created by T0 here:

0 0x510c8c in pthread_create /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:207:3

#1 0x1cfb3c1 in de265_thread_create /src/libde265/libde265/threads.cc:41:96
#2 0x1cfb3c1 in start_thread_pool(thread_pool*, int) /src/libde265/libde265/threads.cc:271:15
#3 0x1c73f43 in decoder_context::start_thread_pool(int) /src/libde265/libde265/decctx.cc:346:3
#4 0x1c6f726 in de265_start_worker_threads /src/libde265/libde265/de265.cc:264:28
#5 0x6ba656 in libde265_new_decoder(void**) /src/libheif/libheif/heif_decoder_libde265.cc:173:3
#6 0x63beb9 in heif::HeifContext::decode_image_planar(unsigned int, std::__1::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_decoding_options const*, bool) const /src/libheif/libheif/heif_context.cc:1086:29
#7 0x63a495 in heif::HeifContext::decode_image_user(unsigned int, std::__1::shared_ptr<heif::HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const*) const /src/libheif/libheif/heif_context.cc:1014:15
#8 0x60c15f in heif_decode_image /src/libheif/libheif/heif.cc:917:35
#9 0x6c76bd in TestDecodeImage(heif_context*, heif_image_handle const*, unsigned long) /src/libheif/libheif/file_fuzzer.cc:61:9
#10 0x6c6f97 in LLVMFuzzerTestOneInput /src/libheif/libheif/file_fuzzer.cc:102:5
#11 0x4583c3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) cxa_noexception.cpp
#12 0x443cd2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
#13 0x44979a in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) cxa_noexception.cpp
#14 0x4726c2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#15 0x7f96d0b000b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

==4025910==ABORTING

[farindk]

I was not able to reproduce this on Ubuntu 16.04 and 22.04. If anyone manages to reproduce this at any libde265 version, please let me know the exact setup.