search

strukturag / libde265

Open h.265 video codec implementation.
Other
1.7k stars 457 forks source link

Unknown address in refpic.cc - dump_compact_short_term_ref_pic_set() #396

Closed skensita closed 1 year ago

skensita commented 1 year ago

Tested version: libde265 v1.0.11

Description of the bug: Unknown address is triggered when processing a crafted hevc file, which leads to a crash. This can be used for denial of service attacks.

Wrong reference to set->UsedByCurrPicS0[i] inside dump_compact_short_term_ref_pic_set.

Steps to reproduce the bug: Compile with Address Sanitizer (ASan) : ./hdrcopy ./0dfd91904d999a9e52a8893982ccc7853c810800

Address Sanitizer log:

min@min-s-jang02:~/h.265/fuzzing/test$ ./hdrcopy classifiedCrashes/0dfd91904d999a9e52a8893982ccc7853c810800
NAL: 0x42 0x17 -  unit type:SPS temporal id:6
SPS error: transform hierarchy depth (inter) > CTB size - min TB size
INFO: ----------------- SPS -----------------
INFO: video_parameter_set_id  : 0
INFO: sps_max_sub_layers      : 1
INFO: sps_temporal_id_nesting_flag : 1
INFO:   general_profile_space     : 0
INFO:   general_tier_flag         : 0
INFO:   general_profile_idc       : Main
INFO:   general_profile_compatibility_flags: 0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INFO:     general_progressive_source_flag : 1
INFO:     general_interlaced_source_flag : 0
INFO:     general_non_packed_constraint_flag : 0
INFO:     general_frame_only_constraint_flag : 1
INFO:   general_level_idc         : 63 (2.10)
INFO: seq_parameter_set_id    : 0
INFO: chroma_format_idc       : 1 (4:2:0)
INFO: pic_width_in_luma_samples  : 640
INFO: pic_height_in_luma_samples : 368
INFO: conformance_window_flag    : 0
INFO: bit_depth_luma   : 8
INFO: bit_depth_chroma : 8
INFO: log2_max_pic_order_cnt_lsb : 8
INFO: sps_sub_layer_ordering_info_present_flag : 1
INFO: Layer 0
INFO:   sps_max_dec_pic_buffering      : 13
INFO:   sps_max_num_reorder_pics       : 0
INFO:   sps_max_latency_increase_plus1 : 5
INFO: log2_min_luma_coding_block_size : 3
INFO: log2_diff_max_min_luma_coding_block_size : 3
INFO: log2_min_transform_block_size   : 2
INFO: log2_diff_max_min_transform_block_size : 3
INFO: max_transform_hierarchy_depth_inter : 4127
INFO: max_transform_hierarchy_depth_intra : 256255
INFO: scaling_list_enable_flag : 0
INFO: amp_enabled_flag                    : 0
INFO: sample_adaptive_offset_enabled_flag : 0
INFO: pcm_enabled_flag                    : 0
INFO: num_short_term_ref_pic_sets : 57
INFO: ref_pic_set[  0 ]: ................|XXXoX...........
INFO: ref_pic_set[  1 ]: ...............X|XoXX............
INFO: ref_pic_set[  2 ]: ..............oX|XXX.............
INFO: ref_pic_set[  3 ]: ...............X|XXXX............
INFO: ref_pic_set[  4 ]: ................|................
INFO: ref_pic_set[  5 ]: ...............X|................
INFO: ref_pic_set[  6 ]: ................|X...............
INFO: ref_pic_set[  7 ]: ...............o|................
INFO: ref_pic_set[  8 ]: ..............XX|................
INFO: ref_pic_set[  9 ]: ...............X|X...............
INFO: ref_pic_set[ 10 ]: ..............oX|................
INFO: ref_pic_set[ 11 ]: .............oXX|................
INFO: ref_pic_set[ 12 ]: ............oXXX|................
INFO: ref_pic_set[ 13 ]: ...........XoXXX|................
INFO: ref_pic_set[ 14 ]: ..........XXXoXX|................
INFO: ref_pic_set[ 15 ]: .......oXXXXXX..|................
INFO: ref_pic_set[ 16 ]: ......XXXXoXX..X|................
INFO: ref_pic_set[ 17 ]: .......XoXXXXX..|X...............
INFO: ref_pic_set[ 18 ]: ......XX..XX...o|................
INFO: ref_pic_set[ 19 ]: -23o Xo..oXo....Xo.oX|X...............
INFO: ref_pic_set[ 20 ]: ..........X..o..|................
INFO: ref_pic_set[ 21 ]: ................|................
INFO: ref_pic_set[ 22 ]: ..........X..o..|................
INFO: ref_pic_set[ 23 ]: ................|................
INFO: ref_pic_set[ 24 ]: ..........X..o..|................
INFO: ref_pic_set[ 25 ]: ................|................
INFO: ref_pic_set[ 26 ]: .............oX.|................
INFO: ref_pic_set[ 27 ]: .........X.X....|................
INFO: ref_pic_set[ 28 ]: 46o 43X 42X 39o 37X 26X 24X 23o ................|..Xo............
INFO: ref_pic_set[ 29 ]: 45X 42o 41o 38o 36X 23X ...............o|.X..............
INFO: ref_pic_set[ 30 ]: ...............X|Xo..............
INFO: ref_pic_set[ 31 ]: ............o.oX|................
INFO: ref_pic_set[ 32 ]: ...............X|................
INFO: ref_pic_set[ 33 ]: ...............o|................
INFO: ref_pic_set[ 34 ]: .........XX.....|................
INFO: ref_pic_set[ 35 ]: 80X oo.X.....oX.....|................
INFO: ref_pic_set[ 36 ]: 84o ....oo.X.....XX.|...X............
INFO: ref_pic_set[ 37 ]: 30X ................|oX...........X..
INFO: ref_pic_set[ 38 ]: 40X 37X 32X 26o 23o 22o 19X ..............oo|.............X..
INFO: ref_pic_set[ 39 ]: ...........X..X.|................
INFO: ref_pic_set[ 40 ]: ................|.....o..X.o.....
INFO: ref_pic_set[ 41 ]: ................|................
INFO: ref_pic_set[ 42 ]: ................|................
INFO: ref_pic_set[ 43 ]: 286X 285o 281X 280o 279X 278X 272X 261X 249X 246X 26X ................|o............o..
INFO: ref_pic_set[ 44 ]: .............o..|................
INFO: ref_pic_set[ 45 ]: XX..............|oXX.............
INFO: ref_pic_set[ 46 ]: o..............o|XX..............
INFO: ref_pic_set[ 47 ]: .X..............|XXo.............
INFO: ref_pic_set[ 48 ]: 33X 32X 30X ................|..............X.
INFO: ref_pic_set[ 49 ]: ..............o.|oX..............
INFO: ref_pic_set[ 50 ]: ............oo..|................
INFO: ref_pic_set[ 51 ]: AddressSanitizer:DEADLYSIGNAL
=================================================================
==1115==ERROR: AddressSanitizer: SEGV on unknown address 0x6f20000014f4 (pc 0x7f51a4116c20 bp 0x7fff5b19c200 sp 0x7fff5b19c100 T0)
==1115==The signal is caused by a READ memory access.
    #0 0x7f51a4116c1f in dump_compact_short_term_ref_pic_set(ref_pic_set const*, int, _IO_FILE*) /home/min/h.256/libde265/libde265/refpic.cc:418
    #1 0x7f51a414b904 in seq_parameter_set::dump(int) const /home/min/h.256/libde265/libde265/sps.cc:727
    #2 0x55f50f280abe in process_nal(NAL_unit*) /home/min/h.256/libde265/dec265/hdrcopy.cc:72
    #3 0x55f50f280d7d in main /home/min/h.256/libde265/dec265/hdrcopy.cc:112
    #4 0x7f51a3aa0082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55f50f2806ad in _start (/home/min/h.265/fuzzing/test/.libs/hdrcopy+0x46ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/min/h.256/libde265/libde265/refpic.cc:418 in dump_compact_short_term_ref_pic_set(ref_pic_set const*, int, _IO_FILE*)
==1115==ABORTING

Please check the attached POC.

0dfd91904d999a9e52a8893982ccc7853c810800.zip

farindk commented 1 year ago

Thank you. Fixed with 7cb7ee341b29e26df471e02983bfc174d8e3010f