NULL Pointer Dereference in util.cc - log2fh

[skensita]

Tested version: libde265 v1.0.11

Description of the bug: NULL Pointer Dereference is triggered when processing a crafted hevc file, which leads to a crash. This can be used for denial of service attacks.

Steps to reproduce the bug: Compile with Address Sanitizer (ASan) : ./hdrcopy ./742a99d46dbc43328cc37e580d67578484ba8ae1

Address Sanitizer log:

min@min-s-jang02:~/h.265/fuzzing/test$ ./hdrcopy classifiedCrashes/742a99d46dbc43328cc37e580d67578484ba8ae1
NAL: 0x42 0x17 -  unit type:SPS temporal id:6
INFO: ----------------- SPS -----------------
INFO: video_parameter_set_id  : 0
INFO: sps_max_sub_layers      : 1
INFO: sps_temporal_id_nesting_flag : 1
INFO:   general_profile_space     : 0
INFO:   general_tier_flag         : 0
INFO:   general_profile_idc       : Main
INFO:   general_profile_compatibility_flags: 0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INFO:     general_progressive_source_flag : 1
INFO:     general_interlaced_source_flag : 0
INFO:     general_non_packed_constraint_flag : 0
INFO:     general_frame_only_constraint_flag : 1
INFO:   general_level_idc         : 63 (2.10)
INFO: seq_parameter_set_id    : 0
INFO: chroma_format_idc       : 1 (4:2:0)
INFO: pic_width_in_luma_samples  : 640
INFO: pic_height_in_luma_samples : 360
INFO: conformance_window_flag    : 0
INFO: bit_depth_luma   : 8
INFO: bit_depth_chroma : 8
INFO: log2_max_pic_order_cnt_lsb : 8
INFO: sps_sub_layer_ordering_info_present_flag : 1
INFO: Layer 0
INFO:   sps_max_dec_pic_buffering      : 13
INFO:   sps_max_num_reorder_pics       : 0
INFO:   sps_max_latency_increase_plus1 : 5
INFO: log2_min_luma_coding_block_size : 3
INFO: log2_diff_max_min_luma_coding_block_size : 3
INFO: log2_min_transform_block_size   : 2
INFO: log2_diff_max_min_transform_block_size : 3
INFO: max_transform_hierarchy_depth_inter : 4127
INFO: max_transform_hierarchy_depth_intra : 256255
INFO: scaling_list_enable_flag : 0
INFO: amp_enabled_flag                    : 0
INFO: sample_adaptive_offset_enabled_flag : 0
INFO: pcm_enabled_flag                    : 0
INFO: num_short_term_ref_pic_sets : 57
INFO: ref_pic_set[  0 ]: ................|XXXoX...........
INFO: ref_pic_set[  1 ]: ...............X|XoXX............
INFO: ref_pic_set[  2 ]: ..............oX|XXX.............
INFO: ref_pic_set[  3 ]: ...............X|XXXX............
INFO: ref_pic_set[  4 ]: ................|................
INFO: ref_pic_set[  5 ]: ...............X|................
INFO: ref_pic_set[  6 ]: ................|X...............
INFO: ref_pic_set[  7 ]: ...............o|................
INFO: ref_pic_set[  8 ]: ..............XX|................
INFO: ref_pic_set[  9 ]: ...............X|X...............
INFO: ref_pic_set[ 10 ]: ..............oX|................
INFO: ref_pic_set[ 11 ]: .............oXX|................
INFO: ref_pic_set[ 12 ]: ............oXXX|................
INFO: ref_pic_set[ 13 ]: ...........XoXXX|................
INFO: ref_pic_set[ 14 ]: ..........XXXoXX|................
INFO: ref_pic_set[ 15 ]: .......oXXXXXX..|................
INFO: ref_pic_set[ 16 ]: ......XXXXoXX..X|................
INFO: ref_pic_set[ 17 ]: .......XoXXXXX..|X...............
INFO: ref_pic_set[ 18 ]: ....oXXoooX.....|................
INFO: ref_pic_set[ 19 ]: .....X.XXooX....|................
INFO: ref_pic_set[ 20 ]: X.X.XXo....o....|................
INFO: ref_pic_set[ 21 ]: ................|................
INFO: ref_pic_set[ 22 ]: -31X -28o -25X -22o -19X o..X..o..X..o..X|................
INFO: ref_pic_set[ 23 ]: ................|................
INFO: ref_pic_set[ 24 ]: .............oX.|................
INFO: ref_pic_set[ 25 ]: .........X.X....|................
INFO: ref_pic_set[ 26 ]: 46o 43X 42X 39o 37X 26X 24X 23o ................|..Xo............
INFO: ref_pic_set[ 27 ]: 45X 42o 41o 38o 36X 23X ...............o|.X..............
INFO: ref_pic_set[ 28 ]: 31o 27X 24o 23X 19X ...............o|.....X.oX...XoXX
INFO: ref_pic_set[ 29 ]: -83o -82o -59X -58o -57o -32o -31X -30o -29X ..............o.|..........o.....
INFO: ref_pic_set[ 30 ]: -82o -81o -58X -56X -31X -28o ...............X|...........X....
INFO: ref_pic_set[ 31 ]: ..............XX|................
INFO: ref_pic_set[ 32 ]: ................|XXX.............
INFO: ref_pic_set[ 33 ]: ...............X|................
INFO: ref_pic_set[ 34 ]: ................|................
INFO: ref_pic_set[ 35 ]: ...............X|................
INFO: ref_pic_set[ 36 ]: ........XX.....X|................
INFO: ref_pic_set[ 37 ]: 80X oo.X.....oX.....|................
INFO: ref_pic_set[ 38 ]: 84o ....oo.X.....XX.|...X............
INFO: ref_pic_set[ 39 ]: 30o ................|oX...........X..
INFO: ref_pic_set[ 40 ]: 36X 31X 25X 24X 23o 22o 19X ..............oo|.............X..
INFO: ref_pic_set[ 41 ]: ................|................
INFO: ref_pic_set[ 42 ]: ................|..X.............
INFO: ref_pic_set[ 43 ]: ................|X...............
INFO: ref_pic_set[ 44 ]: -23o -22o ................|................
INFO: ref_pic_set[ 45 ]: ................|................
INFO: ref_pic_set[ 46 ]: ................|................
INFO: ref_pic_set[ 47 ]: 285o 284o 283X 282o 281o 280X 272X 261X 249X 246X 26X ................|o............o..
INFO: ref_pic_set[ 48 ]: 285o 284X 283o 281X 273o 262X 250X 27X ................|.X............o.
INFO: ref_pic_set[ 49 ]: ..............X.|................
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1912==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc2556f68a6 bp 0x7ffcdc586f80 sp 0x7ffcdc586a10 T0)
==1912==The signal is caused by a READ memory access.
==1912==Hint: address points to the zero page.
    #0 0x7fc2556f68a5 in __vfprintf_internal /build/glibc-SzIz7B/glibc-2.31/stdio-common/vfprintf-internal.c:1320
    #1 0x7fc255ec4f88 in __interceptor_vfprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1604
    #2 0x7fc255d5f97f in log2fh(_IO_FILE*, char const*, ...) /home/min/h.256/libde265/libde265/util.cc:174
    #3 0x7fc255d4f8d2 in seq_parameter_set::dump(int) const /home/min/h.256/libde265/libde265/sps.cc:726
    #4 0x55d51a1a3abe in process_nal(NAL_unit*) /home/min/h.256/libde265/dec265/hdrcopy.cc:72
    #5 0x55d51a1a3d7d in main /home/min/h.256/libde265/dec265/hdrcopy.cc:112
    #6 0x7fc2556a4082 in __libc_start_main ../csu/libc-start.c:308
    #7 0x55d51a1a36ad in _start (/home/min/h.265/fuzzing/test/.libs/hdrcopy+0x46ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/stdio-common/vfprintf-internal.c:1320 in __vfprintf_internal
==1912==ABORTING

Please check the attached POC.

742a99d46dbc43328cc37e580d67578484ba8ae1.zip

[farindk]

An mentioned in #399, PR #402 also fixes this.