search

strukturag / libde265

Open h.265 video codec implementation.
Other
1.7k stars 457 forks source link

NULL Pointer Dereference in sps.cc - seq_parameter_set::dump #400

Closed skensita closed 1 year ago

skensita commented 1 year ago

Tested version: libde265 v1.0.11

Description of the bug: NULL Pointer Dereference is triggered when processing a crafted hevc file, which leads to a crash. This can be used for denial of service attacks.

Steps to reproduce the bug: Compile with Address Sanitizer (ASan) : ./hdrcopy ./874f14058752479b6d03a72ce78664b74914ad99

Address Sanitizer log:

min@min-s-jang02:~/h.265/fuzzing/test$ ./hdrcopy classifiedCrashes/874f14058752479b6d03a72ce78664b74914ad99
NAL: 0x42 0x17 -  unit type:SPS temporal id:6
SPS error: transform hierarchy depth (inter) > CTB size - min TB size
INFO: ----------------- SPS -----------------
INFO: video_parameter_set_id  : 0
INFO: sps_max_sub_layers      : 1
INFO: sps_temporal_id_nesting_flag : 1
INFO:   general_profile_space     : 0
INFO:   general_tier_flag         : 0
INFO:   general_profile_idc       : Main
INFO:   general_profile_compatibility_flags: 0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INFO:     general_progressive_source_flag : 1
INFO:     general_interlaced_source_flag : 0
INFO:     general_non_packed_constraint_flag : 0
INFO:     general_frame_only_constraint_flag : 1
INFO:   general_level_idc         : 63 (2.10)
INFO: seq_parameter_set_id    : 0
INFO: chroma_format_idc       : 1 (4:2:0)
INFO: pic_width_in_luma_samples  : 640
INFO: pic_height_in_luma_samples : 360
INFO: conformance_window_flag    : 0
INFO: bit_depth_luma   : 8
INFO: bit_depth_chroma : 8
INFO: log2_max_pic_order_cnt_lsb : 8
INFO: sps_sub_layer_ordering_info_present_flag : 1
INFO: Layer 0
INFO:   sps_max_dec_pic_buffering      : 13
INFO:   sps_max_num_reorder_pics       : 0
INFO:   sps_max_latency_increase_plus1 : 5
INFO: log2_min_luma_coding_block_size : 3
INFO: log2_diff_max_min_luma_coding_block_size : 3
INFO: log2_min_transform_block_size   : 2
INFO: log2_diff_max_min_transform_block_size : 3
INFO: max_transform_hierarchy_depth_inter : 4127
INFO: max_transform_hierarchy_depth_intra : 256255
INFO: scaling_list_enable_flag : 0
INFO: amp_enabled_flag                    : 0
INFO: sample_adaptive_offset_enabled_flag : 0
INFO: pcm_enabled_flag                    : 0
INFO: num_short_term_ref_pic_sets : 57
INFO: ref_pic_set[  0 ]: ................|XXXoX...........
INFO: ref_pic_set[  1 ]: ...............X|XoXX............
INFO: ref_pic_set[  2 ]: ..............oX|XXX.............
INFO: ref_pic_set[  3 ]: ...............X|XXXX............
INFO: ref_pic_set[  4 ]: ................|................
INFO: ref_pic_set[  5 ]: ...............X|................
INFO: ref_pic_set[  6 ]: ................|X...............
INFO: ref_pic_set[  7 ]: ...............o|................
INFO: ref_pic_set[  8 ]: ..............XX|................
INFO: ref_pic_set[  9 ]: ...............X|X...............
INFO: ref_pic_set[ 10 ]: ..............oX|................
INFO: ref_pic_set[ 11 ]: .............XXX|................
INFO: ref_pic_set[ 12 ]: ..............XX|o...............
INFO: ref_pic_set[ 13 ]: .............XXo|................
INFO: ref_pic_set[ 14 ]: ............XXXo|................
INFO: ref_pic_set[ 15 ]: ...........oXXXX|................
INFO: ref_pic_set[ 16 ]: ........XXXXoX..|................
INFO: ref_pic_set[ 17 ]: .........XXXXXX.|o...............
INFO: ref_pic_set[ 18 ]: ........XXoXXX.X|................
INFO: ref_pic_set[ 19 ]: ............oXXX|................
INFO: ref_pic_set[ 20 ]: .............Xoo|X...............
INFO: ref_pic_set[ 21 ]: ...........o....|Xo..............
INFO: ref_pic_set[ 22 ]: ................|................
INFO: ref_pic_set[ 23 ]: ................|................
INFO: ref_pic_set[ 24 ]: ..........X..o..|................
INFO: ref_pic_set[ 25 ]: .........X..X..X|................
INFO: ref_pic_set[ 26 ]: ........X..X..XX|................
INFO: ref_pic_set[ 27 ]: .......X..X..XXX|................
INFO: ref_pic_set[ 28 ]: ......X..X..XXXX|................
INFO: ref_pic_set[ 29 ]: .....X..X..XXXXX|................
INFO: ref_pic_set[ 30 ]: ....X..X..XXXXXX|................
INFO: ref_pic_set[ 31 ]: ...X..X..XXXXXXX|................
INFO: ref_pic_set[ 32 ]: 255X 254X 253X 252X 251X 250X 249X 248X 245X 242X ................|................
INFO: ref_pic_set[ 33 ]: 254X 253X 252X 251X 250X 249X 248X 247X 244X 241X ...............X|................
INFO: ref_pic_set[ 34 ]: 253X 252X 251X 250X 249X 248X 247X 246X 243X 240X ..............XX|................
INFO: ref_pic_set[ 35 ]: 252X 251X 250X 249X 248X 247X 246X 245X 242X 239X .............XXX|................
INFO: ref_pic_set[ 36 ]: 266X 265X 264X 263X 262X 261X 260X 259X 256X ................|.............X..
INFO: ref_pic_set[ 37 ]: 265X 264X 263X 262X 261X 260X 259X 258X 255X ...............X|............X...
INFO: ref_pic_set[ 38 ]: 264X 263X 262X 261X 260X 259X 258X 257X 254X ..............XX|...........X....
INFO: ref_pic_set[ 39 ]: 267X 266X 265o 264X 263X 257X ................|................
INFO: ref_pic_set[ 40 ]: 264X 263o 262X 260X 254X .............o..|................
INFO: ref_pic_set[ 41 ]: ................|................
INFO: ref_pic_set[ 42 ]: ................|................
INFO: ref_pic_set[ 43 ]: ................|................
INFO: ref_pic_set[ 44 ]: .............o..|................
INFO: ref_pic_set[ 45 ]: ...........X..X.|................
INFO: ref_pic_set[ 46 ]: 27o 25X 22X ................|................
INFO: ref_pic_set[ 47 ]: 21X 18X ................|................
INFO: ref_pic_set[ 48 ]: 22o 19X ................|X...............
INFO: ref_pic_set[ 49 ]: -30o -28o -27X -26o -21X XX....o.....o..X|X...............
INFO: ref_pic_set[ 50 ]: -27X -25X -24o -23X -18X ...............X|..oX............
INFO: ref_pic_set[ 51 ]: -77o -74X -73X -51X -46X ................|................
INFO: ref_pic_set[ 52 ]: X...........ooX.|................
AddressSanitizer:DEADLYSIGNAL
=================================================================
==15097==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f75885f407a bp 0x7ffe139eaac0 sp 0x7ffe139eaab0 T0)
==15097==The signal is caused by a READ memory access.
==15097==Hint: address points to the zero page.
    #0 0x7f75885f4079 in std::vector<ref_pic_set, std::allocator<ref_pic_set> >::size() const /usr/include/c++/9/bits/stl_vector.h:916
    #1 0x7f75886288ad in seq_parameter_set::dump(int) const /home/min/h.256/libde265/libde265/sps.cc:725
    #2 0x55c91dadfabe in process_nal(NAL_unit*) /home/min/h.256/libde265/dec265/hdrcopy.cc:72
    #3 0x55c91dadfd7d in main /home/min/h.256/libde265/dec265/hdrcopy.cc:112
    #4 0x7f7587f7d082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55c91dadf6ad in _start (/home/min/h.265/fuzzing/test/.libs/hdrcopy+0x46ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/c++/9/bits/stl_vector.h:916 in std::vector<ref_pic_set, std::allocator<ref_pic_set> >::size() const
==15097==ABORTING

Please check the attached POC.

874f14058752479b6d03a72ce78664b74914ad99.zip

farindk commented 1 year ago

Thank you. Fixed with 7cb7ee341b29e26df471e02983bfc174d8e3010f