search

strukturag / libde265

Open h.265 video codec implementation.
Other
1.7k stars 457 forks source link

NULL Pointer Dereference in vps.cc - video_parameter_set::dump #397

Closed skensita closed 1 year ago

skensita commented 1 year ago

Tested version: libde265 v1.0.11

Description of the bug: NULL Pointer Dereference is triggered when processing a crafted hevc file, which leads to a crash. This can be used for denial of service attacks.

Steps to reproduce the bug: Compile with Address Sanitizer (ASan) : ./hdrcopy ./399315615161b1e80b3da839515110a894064833

Address Sanitizer log:

min@min-s-jang02:~/h.265/fuzzing/test$ ./hdrcopy classifiedCrashes/399315615161b1e80b3da839515110a894064833
NAL: 0x40 0x1 -  unit type:VPS temporal id:0
INFO: ----------------- VPS -----------------
INFO: video_parameter_set_id                : 0
INFO: vps_max_layers                        : 1
INFO: vps_max_sub_layers                    : 1
INFO: vps_temporal_id_nesting_flag          : 1
INFO:   general_profile_space     : 0
INFO:   general_tier_flag         : 0
INFO:   general_profile_idc       : Main
INFO:   general_profile_compatibility_flags: 0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INFO:     general_progressive_source_flag : 1
INFO:     general_interlaced_source_flag : 0
INFO:     general_non_packed_constraint_flag : 0
INFO:     general_frame_only_constraint_flag : 1
INFO:   general_level_idc         : 63 (2.10)
INFO: vps_sub_layer_ordering_info_present_flag : 1
INFO: layer 0: vps_max_dec_pic_buffering = 4
INFO:          vps_max_num_reorder_pics  = 2
INFO:          vps_max_latency_increase  = 5
INFO: vps_max_layer_id   = 0
INFO: vps_num_layer_sets = 2047
AddressSanitizer:DEADLYSIGNAL
=================================================================
==26293==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7ff8f2baff6d bp 0x7ffec3d463f0 sp 0x7ffec3d463e0 T0)
==26293==The signal is caused by a READ memory access.
==26293==Hint: address points to the zero page.
    #0 0x7ff8f2baff6c in std::vector<char, std::allocator<char> >::operator[](unsigned long) const /usr/include/c++/9/bits/stl_vector.h:1061
    #1 0x7ff8f2baf176 in video_parameter_set::dump(int) const /home/min/h.256/libde265/libde265/vps.cc:491
    #2 0x558a58879a6b in process_nal(NAL_unit*) /home/min/h.256/libde265/dec265/hdrcopy.cc:65
    #3 0x558a58879d7d in main /home/min/h.256/libde265/dec265/hdrcopy.cc:112
    #4 0x7ff8f24ec082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x558a588796ad in _start (/home/min/h.265/fuzzing/test/.libs/hdrcopy+0x46ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/c++/9/bits/stl_vector.h:1061 in std::vector<char, std::allocator<char> >::operator[](unsigned long) const
==26293==ABORTING

Please check the attached POC.

399315615161b1e80b3da839515110a894064833.zip

SchrodingersMind commented 1 year ago

These are problems with the hdrcopy, not the library itself. hdrcopy.cc:64 should handle errors returned by vps.read before vps.dump

skensita commented 1 year ago

I agree with you. Please close this issue.