Open fdu-sec opened 1 year ago
According to Debian this is CVE-2022-43235
I couldn't reproduce this (Ubuntu 16.04.7, GCC 5.4.0). Tried at v1.0.8 and c96962cf.
@coldtobi Since I apparently cannot reproduce the original issue in my setups, could you please verify that the issue is fixed?
I can't reproduce this exact issue either… (Bisecting finds some old commit ~1.0.4 which triggers asan, but that is a complete different backtrace.)
I think I'm seeing this issue (on a regular basis, security camera feed). As near as I can tell, this happens if it tries to do an accelerated put_hevc_epel()
from a block that is smaller than 8 in width and is near to the end of a plane allocation. _mm_unpacklo_epi8()
reads in 8-byte chunks and in my case it was working on a 4x4 block at the end of the plane. Let me know if you need any more info.
ff_hevc_put_hevc_epel_pixels_8_sse variables:
y = 3, height = 4, x = 0, width = 4
src = (uint8_t *) 0x7fffc857cffc "\204\204\204\204"<error: Cannot access memory at address 0x7fffc857d000>
mc_chroma variables:
xIntOffsC = 1276, yIntOffsC = 716, nPbWC = 4, nPbHC = 4, ref = 0x7fffc849c000, ref_stride = 1280
Reference Image Info:
chroma_format = de265_chroma_420, width = 2560, height = 1440, chroma_width = 1280, chroma_height = 720, stride = 2560, chroma_stride = 1280, BitDepth_Y = 8, BitDepth_C = 8, SubWidthC = 2, SubHeightC = 2
Backtrace:
#0 ff_hevc_put_hevc_epel_pixels_8_sse (dst=0x7fffcfffaaf0, dststride=8, _src=<optimized out>, srcstride=1280, width=4, height=4, mx=0, my=0, mcbuffer=0x0) at sse-motion.cc:1002
#1 0x00007ffff4084682 in acceleration_functions::put_hevc_epel (this=this@entry=0x7fffd004dda0, dst=dst@entry=0x7fffcfffaac0, dststride=dststride@entry=8, src=<optimized out>,
srcstride=srcstride@entry=1280, width=<optimized out>, height=4, mx=0, my=0, mcbuffer=0x0, bit_depth=8) at ../libde265/acceleration.h:296
#2 0x00007ffff4085537 in mc_chroma<unsigned char> (ctx=ctx@entry=0x7fffd004dcf0, sps=sps@entry=0x7fffd006e1e0, mv_x=<optimized out>, mv_y=<optimized out>, xP=xP@entry=2552, yP=yP@entry=1432,
out=0x7fffcfffaac0, out_stride=8, ref=0x7fffc849c000 '\203' <repeats 55 times>, "\202\200", '\177' <repeats 14 times>, "\200\200", '\201' <repeats 110 times>, "\200\177", '~' <repeats 15 times>...,
ref_stride=1280, nPbWC=4, nPbHC=4, bit_depth_C=8) at motion.cc:205
#3 0x00007ffff4083aae in generate_inter_prediction_samples (ctx=ctx@entry=0x7fffd004dcf0, shdr=shdr@entry=0x7fffd0068960, img=img@entry=0x7fffd00267e0, xC=xC@entry=2552, yC=yC@entry=1432, xB=xB@entry=0,
yB=0, nCS=8, nPbW=8, nPbH=8, vi=0x7fffcfffeb5c) at motion.cc:420
#4 0x00007ffff40844a6 in decode_prediction_unit (ctx=0x7fffd004dcf0, shdr=0x7fffd0068960, img=0x7fffd00267e0, motion=..., xC=xC@entry=2552, yC=yC@entry=1432, xB=0, yB=0, nCS=8, nPbW=8, nPbH=8, partIdx=0)
at motion.cc:2176
#5 0x00007ffff4091cbc in read_coding_unit (tctx=tctx@entry=0x7fffd0657988, x0=x0@entry=2552, y0=y0@entry=1432, log2CbSize=log2CbSize@entry=3, ctDepth=ctDepth@entry=2) at slice.cc:4314
#6 0x00007ffff40928ac in read_coding_quadtree (tctx=0x7fffd0657988, x0=2552, y0=1432, log2CbSize=3, ctDepth=2) at slice.cc:4652
#7 0x00007ffff4092831 in read_coding_quadtree (tctx=0x7fffd0657988, x0=2544, y0=1424, log2CbSize=4, ctDepth=<optimized out>) at slice.cc:4645
#8 0x00007ffff4092831 in read_coding_quadtree (tctx=tctx@entry=0x7fffd0657988, x0=x0@entry=2528, y0=y0@entry=1408, log2CbSize=5, ctDepth=ctDepth@entry=0) at slice.cc:4645
#9 0x00007ffff409298f in read_coding_tree_unit (tctx=tctx@entry=0x7fffd0657988) at slice.cc:2861
#10 0x00007ffff4092c6c in decode_substream (tctx=tctx@entry=0x7fffd0657988, block_wpp=block_wpp@entry=false, first_independent_substream=<optimized out>) at slice.cc:4741
#11 0x00007ffff4092e3a in thread_task_slice_segment::work (this=0x7fffd004b090) at slice.cc:4940
#12 0x00007ffff40986ce in worker_thread (pool_ptr=0x7fffd004e728) at threads.cc:233
#13 0x00007ffff7b66b4a in ?? () from /lib64/libc.so.6
#14 0x00007ffff7be965c in ?? () from /lib64/libc.so.6
Description
Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x262cc1) in ff_hevc_put_hevc_epel_pixels_8_sse(short, long, unsigned char const, long, int, int, int, int, short*)
Version
Replay
ASAN
POC
https://github.com/FDU-Sec/poc/blob/main/libde265/poc3
Environment
Credit
Peng Deng (Fudan University)