Description of the bug:
NULL Pointer Dereference is triggered when processing a crafted hevc file, which leads to a crash.
This can be used for denial of service attacks.
Steps to reproduce the bug:
Compile with Address Sanitizer (ASan) :
./hdrcopy ./399315615161b1e80b3da839515110a894064833
Address Sanitizer log:
min@min-s-jang02:~/h.265/fuzzing/test$ ./hdrcopy classifiedCrashes/399315615161b1e80b3da839515110a894064833
NAL: 0x40 0x1 - unit type:VPS temporal id:0
INFO: ----------------- VPS -----------------
INFO: video_parameter_set_id : 0
INFO: vps_max_layers : 1
INFO: vps_max_sub_layers : 1
INFO: vps_temporal_id_nesting_flag : 1
INFO: general_profile_space : 0
INFO: general_tier_flag : 0
INFO: general_profile_idc : Main
INFO: general_profile_compatibility_flags: 0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INFO: general_progressive_source_flag : 1
INFO: general_interlaced_source_flag : 0
INFO: general_non_packed_constraint_flag : 0
INFO: general_frame_only_constraint_flag : 1
INFO: general_level_idc : 63 (2.10)
INFO: vps_sub_layer_ordering_info_present_flag : 1
INFO: layer 0: vps_max_dec_pic_buffering = 4
INFO: vps_max_num_reorder_pics = 2
INFO: vps_max_latency_increase = 5
INFO: vps_max_layer_id = 0
INFO: vps_num_layer_sets = 2047
AddressSanitizer:DEADLYSIGNAL
=================================================================
==26293==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7ff8f2baff6d bp 0x7ffec3d463f0 sp 0x7ffec3d463e0 T0)
==26293==The signal is caused by a READ memory access.
==26293==Hint: address points to the zero page.
#0 0x7ff8f2baff6c in std::vector<char, std::allocator<char> >::operator[](unsigned long) const /usr/include/c++/9/bits/stl_vector.h:1061
#1 0x7ff8f2baf176 in video_parameter_set::dump(int) const /home/min/h.256/libde265/libde265/vps.cc:491
#2 0x558a58879a6b in process_nal(NAL_unit*) /home/min/h.256/libde265/dec265/hdrcopy.cc:65
#3 0x558a58879d7d in main /home/min/h.256/libde265/dec265/hdrcopy.cc:112
#4 0x7ff8f24ec082 in __libc_start_main ../csu/libc-start.c:308
#5 0x558a588796ad in _start (/home/min/h.265/fuzzing/test/.libs/hdrcopy+0x46ad)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/c++/9/bits/stl_vector.h:1061 in std::vector<char, std::allocator<char> >::operator[](unsigned long) const
==26293==ABORTING
Tested version: libde265 v1.0.11
Description of the bug: NULL Pointer Dereference is triggered when processing a crafted hevc file, which leads to a crash. This can be used for denial of service attacks.
Steps to reproduce the bug: Compile with Address Sanitizer (ASan) : ./hdrcopy ./399315615161b1e80b3da839515110a894064833
Address Sanitizer log:
Please check the attached POC.
399315615161b1e80b3da839515110a894064833.zip