Closed JieyongMa closed 1 year ago
NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:968
git log commit 1cf2999583ef8a90e11933ed70908e4e2c2d8872 (HEAD -> master, origin/master, origin/HEAD)
git clone https://github.com/strukturag/libde265.git cd libde265 ./autogen.sh export CFLAGS="-g -O0 -lpthread -fsanitize=address" export CXXFLAGS="-g -O0 -lpthread -fsanitize=address" export LDFLAGS="-fsanitize=address" ./configure --disable-shared make -j
cd dec265 ./dec265 ./poc_segv01.bin WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: coded parameter out of range AddressSanitizer:DEADLYSIGNAL ================================================================= ==7394==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x561be828c36c bp 0x000000000000 sp 0x7ffe3413f310 T0) ==7394==The signal is caused by a READ memory access. ==7394==Hint: address points to the zero page. #0 0x561be828c36b in _mm_loadu_si128(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:703 #1 0x561be828c36b in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /home/fuzz/libde265/libde265/x86/sse-motion.cc:968 #2 0x561be83306ab in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296 #3 0x561be83306ab in void mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:205 #4 0x561be8327067 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /home/fuzz/libde265/libde265/motion.cc:412 #5 0x561be8327edd in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /home/fuzz/libde265/libde265/motion.cc:2141 #6 0x561be8213601 in read_coding_unit(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4314 #7 0x561be821c2e1 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4652 #8 0x561be821bd61 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4635 #9 0x561be821bd61 in read_coding_quadtree(thread_context*, int, int, int, int) /home/fuzz/libde265/libde265/slice.cc:4635 #10 0x561be821e3db in decode_substream(thread_context*, bool, bool) /home/fuzz/libde265/libde265/slice.cc:4741 #11 0x561be82210c2 in read_slice_segment_data(thread_context*) /home/fuzz/libde265/libde265/slice.cc:5054 #12 0x561be812a487 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:852 #13 0x561be812dca0 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /home/fuzz/libde265/libde265/decctx.cc:954 #14 0x561be812e934 in decoder_context::decode_some(bool*) /home/fuzz/libde265/libde265/decctx.cc:739 #15 0x561be81321c7 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/fuzz/libde265/libde265/decctx.cc:697 #16 0x561be813362c in decoder_context::decode_NAL(NAL_unit*) /home/fuzz/libde265/libde265/decctx.cc:1239 #17 0x561be8134df5 in decoder_context::decode(int*) /home/fuzz/libde265/libde265/decctx.cc:1327 #18 0x561be80f9f9d in main /home/fuzz/libde265/dec265/dec265.cc:764 #19 0x7f8b26075082 in __libc_start_main ../csu/libc-start.c:308 #20 0x561be80fe0dd in _start (/home/fuzz/libde265/dec265/dec265+0x240dd) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:703 in _mm_loadu_si128(long long __vector(2) const*) ==7394==ABORTING
poc_segv01.bin
gdb --args ./dec265 ./poc_segv01.bin ─── Output/messages ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: non-existing PPS referenced WARNING: coded parameter out of range Program received signal SIGSEGV, Segmentation fault. _mm_loadu_si128(long long __vector(2) const*) (__P=<optimized out>) at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:1006 1006 return (__m128i)__builtin_ia32_punpcklbw128 ((__v16qi)__A, (__v16qi)__B); ─── Assembly ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 0x0000555555706359 _mm_loadu_si128(long long __vector(2) const*)+79 setle %r11b 0x000055555570635d _mm_loadu_si128(long long __vector(2) const*)+83 test %dil,%dil 0x0000555555706360 _mm_loadu_si128(long long __vector(2) const*)+86 setne %al 0x0000555555706363 _mm_loadu_si128(long long __vector(2) const*)+89 test %al,%r11b 0x0000555555706366 _mm_loadu_si128(long long __vector(2) const*)+92 jne 0x555555706fad <ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+3613> 0x000055555570636c _mm_loadu_si128(long long __vector(2) const*)+98 movdqu (%r9),%xmm10 0x0000555555706371 _mm_loadu_si128(long long __vector(2) const*)+103 mov %r10,%rdi 0x0000555555706374 _mm_loadu_si128(long long __vector(2) const*)+106 shr $0x3,%rdi 0x0000555555706378 _mm_loadu_si128(long long __vector(2) const*)+110 movdqa %xmm10,%xmm11 0x000055555570637d _mm_loadu_si128(long long __vector(2) const*)+115 cmpw $0x0,0x7fff8000(%rdi) ─── Breakpoints ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Expressions ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── History ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Memory ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── ─── Registers ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── rax 0x0000000000000000 rbx 0x0000000000000000 rcx 0xffffffffffffffe0 rdx 0x00005555557f0fc0 rsi 0x0000000000000000 rdi 0x0000000000000000 rbp 0x0000000000000000 rsp 0x00007ffffffde670 r8 0x0000000000000010 r9 0x0000000000000000 r10 0x00007ffffffe6520 r11 0x0000000000000001 r12 0x00007ffffffe6520 r13 0x0000000000000000 r14 0x0000000000000010 r15 0x0000000000000000 rip 0x000055555570636c eflags [ PF ZF IF RF ] cs 0x00000033 ss 0x0000002b ds 0x00000000 es 0x00000000 fs 0x00000000 gs 0x00000000 ─── Source ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1001 } 1002 1003 extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__)) 1004 _mm_unpacklo_epi8 (__m128i __A, __m128i __B) 1005 { 1006 return (__m128i)__builtin_ia32_punpcklbw128 ((__v16qi)__A, (__v16qi)__B); 1007 } 1008 1009 extern __inline __m128i __attribute__((__gnu_inline__, __always_inline__, __artificial__)) 1010 _mm_unpacklo_epi16 (__m128i __A, __m128i __B) ─── Stack ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [0] from 0x000055555570636c in _mm_loadu_si128(long long __vector(2) const*)+98 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:1006 [1] from 0x000055555570636c in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*)+476 at sse-motion.cc:968 [2] from 0x00005555557aa6ac in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const+182 at ../libde265/acceleration.h:296 [3] from 0x00005555557aa6ac in mc_chroma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int)+7260 at motion.cc:205 [4] from 0x00005555557a1068 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*)+26328 at ../libde265/image.h:301 [5] from 0x00005555557a1ede in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int)+446 at motion.cc:2141 [6] from 0x000055555568d602 in read_coding_unit(thread_context*, int, int, int, int)+8402 at slice.cc:4314 [7] from 0x00005555556962e2 in read_coding_quadtree(thread_context*, int, int, int, int)+2834 at slice.cc:4652 [8] from 0x0000555555695d62 in read_coding_quadtree(thread_context*, int, int, int, int)+1426 at slice.cc:4635 [9] from 0x0000555555695d62 in read_coding_quadtree(thread_context*, int, int, int, int)+1426 at slice.cc:4635 [+] ─── Threads ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── [1] id 7387 name dec265 from 0x000055555570636c in _mm_loadu_si128(long long __vector(2) const*)+98 at /usr/lib/gcc/x86_64-linux-gnu/9/include/emmintrin.h:1006 ─── Variables ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── arg __P = <optimized out> loc x = <optimized out>, y = 0, x1 = Cannot access memory at address 0x0, x2 = <optimized out>, src = 0x0: Cannot access memory at address 0x0 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── >>>
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.
Thank you.
Description
NULL Pointer Dereference in function ff_hevc_put_hevc_epel_pixels_8_sse at sse-motion.cc:968
Version
Steps to reproduce
POC
poc_segv01.bin
GDB
Impact
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.