search

strukturag / libde265

Open h.265 video codec implementation.
Other
1.7k stars 457 forks source link

SEGV:occured in function decoder_context::process_slice_segment_header at decctx.cc:2007:20 #393

Closed blu3sh0rk closed 1 year ago

blu3sh0rk commented 1 year ago

Desctiption

A SEGV has occurred when running program dec265 NULL Pointer Dereference in function decoder_context::process_slice_segment_header at decctx.cc:2007:20

Version

dec265  v1.0.11

git log
commit fef32a7761993702c699dfbe3699e44374eb44b5 (HEAD -> master, origin/master, origin/HEAD)
Merge: 3aea5a45 c2b60f1c
Author: Dirk Farin <dirk.farin@gmail.com>
Date:   Thu Feb 9 11:13:24 2023 +0100

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 SEGV-POC
WARNING: non-existing PPS referenced
WARNING: maximum number of reference pictures exceeded
WARNING: maximum number of reference pictures exceeded
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3838968==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e2220 bp 0x7ffc6cbf5fd0 sp 0x7ffc6cbf5ac0 T0)
==3838968==The signal is caused by a READ memory access.
==3838968==Hint: address points to the zero page.
    #0 0x4e2220 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:2007:20
    #1 0x4e1012 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:649:7
    #2 0x4eb7f1 in decoder_context::decode_NAL(NAL_unit*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:1240:11
    #3 0x4ec6a1 in decoder_context::decode(int*) /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:1328:16
    #4 0x4d3645 in de265_decode /home/lzy/fuzz/oss/libde265/libde265/de265.cc:367:15
    #5 0x4d0363 in main /home/lzy/fuzz/oss/libde265/dec265/dec265.cc:764:17
    #6 0x7efcae0bc082 in __libc_start_main /build/glibc-KZwQYS/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41e5bd in _start (/home/lzy/fuzz/oss/libde265/dec265/dec265+0x41e5bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lzy/fuzz/oss/libde265/libde265/decctx.cc:2007:20 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*)
==3838968==ABORTING

POC

https://github.com/blu3sh0rk/Fuzzing-crash/blob/main/SEGV.zip

GDB INFO

WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────$rax   : 0x0               
$rbx   : 0x007fffffff3180  →  0x0061b0000f1494  →  0x0000000000000000
$rcx   : 0x6f2             
$rdx   : 0x637             
$rsp   : 0x007fffffff30e0  →  0x0000000041b58ab3
$rbp   : 0x007fffffff35f0  →  0x007fffffff3970  →  0x007fffffff3b30  →  0x007fffffff3ca0  →  0x007fffffff3cd0  →  0x007fffffffe0c0  →  0x0000000000000000
$rsi   : 0x600             
$rdi   : 0x00621000000718  →  0x0000000000000000
$rip   : 0x000000004e2220  →  <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov al, BYTE PTR [rax]
$r8    : 0x00621000000100  →  0x000000006f97b0  →  0x000000004db200  →  <decoder_context::~decoder_context()+0> push rbp
$r9    : 0x007ffff43ff800  →  0xbeddbeddddbeddbe
$r10   : 0x24b             
$r11   : 0x240             
$r12   : 0x0000000041e590  →  <_start+0> endbr64 
$r13   : 0x007fffffffe1b0  →  0x0000000000000002
$r14   : 0x200             
$r15   : 0x0               
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────0x007fffffff30e0│+0x0000: 0x0000000041b58ab3     ← $rsp
0x007fffffff30e8│+0x0008: 0x000000006fac63  →  "4 32 16 7 agg.tmp 64 16 9 agg.tmp36 96 16 9 agg.tm[...]"
0x007fffffff30f0│+0x0010: 0x000000004e1eb0  →  <decoder_context::process_slice_segment_header(slice_segment_header*,+0> push rbp
0x007fffffff30f8│+0x0018: 0x006290000b4418  →  0xbebebe0000000004
0x007fffffff3100│+0x0020: 0x0061b0000f1534  →  0x0000000000000000
0x007fffffff3108│+0x0028: 0x006290000b649c  →  0x00000d00000001  →  0x0000000000000000
0x007fffffff3110│+0x0030: 0x0061b0000f14cc  →  0x0000000000000002
0x007fffffff3118│+0x0038: 0x006290000b649c  →  0x00000d00000001  →  0x0000000000000000
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────     0x4e220d <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    rdi, QWORD PTR [rbx+0x320]
     0x4e2214 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> call   0x49f990 <__asan_report_load1>
     0x4e2219 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    rax, QWORD PTR [rbx+0x320]
 →   0x4e2220 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    al, BYTE PTR [rax]
     0x4e2222 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> and    al, 0x1
     0x4e2224 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> movzx  eax, al
     0x4e2227 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> cmp    eax, 0x0
     0x4e222a <decoder_context::process_slice_segment_header(slice_segment_header*,+0> jne    0x4e22aa <decoder_context::process_slice_segment_header(slice_segment_header*,  de265_error*,  long,  nal_header*,  void*)+1018>
     0x4e2230 <decoder_context::process_slice_segment_header(slice_segment_header*,+0> mov    ecx, DWORD PTR ds:0x75b760
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:decctx.cc+2007 ────   2002  
   2003  
   2004    // get PPS and SPS for this slice
   2005  
   2006    int pps_id = hdr->slice_pic_parameter_set_id;
           // pps_id=0x1
 → 2007    if (pps[pps_id]->pps_read==false) {
   2008      logerror(LogHeaders, "PPS %d has not been read\n", pps_id);
   2009      assert(false); // TODO
   2010    }
   2011  
   2012    current_pps = pps[pps_id];
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────[#0] Id 1, Name: "dec265", stopped 0x4e2220 in decoder_context::process_slice_segment_header (), reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────[#0] 0x4e2220 → decoder_context::process_slice_segment_header(this=0x621000000100, hdr=0x61b0000f1180, err=0x7fffffff3630, pts=0xa000, nal_hdr=0x7fffffff39e0, user_data=0x2)
[#1] 0x4e1013 → decoder_context::read_slice_NAL(this=0x621000000100, reader=@0x7fffffff39a0, nal=0x606000020d20, nal_hdr=@0x7fffffff39e0)
[#2] 0x4eb7f2 → decoder_context::decode_NAL(this=0x621000000100, nal=0x606000020d20)
[#3] 0x4ec6a2 → decoder_context::decode(this=0x621000000100, more=0x7fffffffde50)
[#4] 0x4d3646 → de265_decode(de265ctx=0x621000000100, more=0x7fffffffde50)
[#5] 0x4d0364 → main(argc=0x2, argv=0x7fffffffe1b8)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────gef➤

Impact

Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 2007 of the code. This issue can cause a Denial of Service attack.

farindk commented 1 year ago

Thank you

giancorderoortiz commented 1 year ago

Is it possible to do a patch release in the upcoming weeks that officially addresses this issue (https://nvd.nist.gov/vuln/detail/CVE-2023-27102) Version 1.0.11 was released on Feb 1, 2023 according to https://github.com/strukturag/libde265/releases