global-buffer-overflow in read_coding_unit

[fdu-sec]

Description

global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)

Version

 dec265  v1.0.14
-----------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Replay

cd libde265
CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
make -j
./dec265/dec265 ./poc

ASAN

==1753516==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6e8318665e at pc 0x7f6e83139f09 bp 0x7fffda7f3620 sp 0x7fffda7f3610
READ of size 1 at 0x7f6e8318665e thread T0
    #0 0x7f6e83139f08 in read_coding_unit(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4493
    #1 0x7f6e8313abda in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
    #2 0x7f6e8313b941 in decode_substream(thread_context*, bool, bool) libde265/libde265/slice.cc:4750
    #3 0x7f6e8313d29d in read_slice_segment_data(thread_context*) libde265/libde265/slice.cc:5063
    #4 0x7f6e830ca881 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) libde265/libde265/decctx.cc:854
    #5 0x7f6e830cca4d in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) libde265/libde265/decctx.cc:956
    #6 0x7f6e830ccfe5 in decoder_context::decode_some(bool*) libde265/libde265/decctx.cc:741
    #7 0x7f6e830d4ec2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:699
    #8 0x7f6e830d5a4d in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1241
    #9 0x7f6e830d6308 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1329
    #10 0x55b9a8c5fd26 in main libde265/dec265/dec265.cc:784
    #11 0x7f6e81e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #12 0x7f6e81e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #13 0x55b9a8c60ca4 in _start (libde265/dec265/.libs/dec265+0x5ca4)

0x7f6e8318665e is located 14 bytes to the right of global variable 'ctxIdxMap' defined in 'slice.cc:1964:22' (0x7f6e83186640) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)
Shadow bytes around the buggy address:
  0x0fee50628c70: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 01 f9 f9
  0x0fee50628c80: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 01
  0x0fee50628c90: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
  0x0fee50628ca0: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 00 00 00 02
  0x0fee50628cb0: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
=>0x0fee50628cc0: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9[f9]f9 f9 f9 f9
  0x0fee50628cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fee50628d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1753516==ABORTING

POC

poc

Environment

Description:    Ubuntu 22.04.2 LTS
gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0

Credit

Yuchuan Meng (Fudan University)

[farindk]

Thank you. Fixed in the above commit.

[carnil]

CVE-2023-49468 is apparently assigned for this issue.

[aiakubovich]

Hello. I am still getting a block pipeline because of this vulnerability: https://security-tracker.debian.org/tracker/CVE-2023-49468.

[farindk]

@aiakubovich Can I interpret your comment such that you'd like to have a new release?

[aiakubovich]

@farindk, I am not familiar with how those fixes work. It seems like this issue has been resolved, but for some reason, it still appears as an unresolved vulnerability on debian.org. This issue is causing blocked deployment pipelines when I try to deploy the application because the container vulnerability scanner indicates that a vulnerability is detected.

[farindk]

Ok, so you need a new release because these fixes are not in an official release yet. :-)

[giancorderoortiz]

Yes, please, a new release is needed.

[farindk]

New release is waiting for packaging.