You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$./dec265 -h
dec265 v1.0.12
-----------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).
options:
-q, --quiet do not show decoded image
-t, --threads N set number of worker threads (0 - no threading)
-c, --check-hash perform hash check
-n, --nal input is a stream with 4-byte length prefixed NAL units
-f, --frames N set number of frames to process
-o, --output write YUV reconstruction
-d, --dump dump headers
-0, --noaccel do not use any accelerated code (SSE)
-v, --verbose increase verbosity level (up to 3 times)
-L, --no-logging disable logging
-B, --write-bytestream FILENAME write raw bytestream (from NAL input)
-m, --measure YUV compute PSNRs relative to reference YUV
-T, --highest-TID selecthighest temporal sublayer to decode
--disable-deblocking disable deblocking filter
--disable-sao disable sample-adaptive offset filter
-h, --help show help
Replay
git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc1
You'll need to try a few more times for this vulnerability to appear, usually within 20 times
ASAN
WARNING: non-existing PPS referenced
=================================================================
==1277113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000001438 at pc 0x7fc9f24d698a bp 0x7ffe70f26540 sp 0x7ffe70f26530
READ of size 4 at 0x61b000001438 thread T0
#0 0x7fc9f24d6989 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) (/root/1115/libde265/build/libde265/libde265.so+0x19e989)#1 0x7fc9f24d9e58 in fill_luma_motion_vector_predictors(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, int, MotionVector*) (/root/1115/libde265/build/libde265/libde265.so+0x1a1e58)#2 0x7fc9f24da72b in luma_motion_vector_prediction(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1a272b)#3 0x7fc9f24db06d in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) (/root/1115/libde265/build/libde265/libde265.so+0x1a306d)#4 0x7fc9f24db3b8 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1a33b8)#5 0x7fc9f25186a4 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e06a4)#6 0x7fc9f251a286 in read_coding_unit(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2286)#7 0x7fc9f251b0d1 in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e30d1)#8 0x7fc9f251af7f in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2f7f)#9 0x7fc9f251afe4 in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2fe4)#10 0x7fc9f251afe4 in read_coding_quadtree(thread_context*, int, int, int, int) (/root/1115/libde265/build/libde265/libde265.so+0x1e2fe4)#11 0x7fc9f25126d1 in read_coding_tree_unit(thread_context*) (/root/1115/libde265/build/libde265/libde265.so+0x1da6d1)#12 0x7fc9f251b875 in decode_substream(thread_context*, bool, bool) (/root/1115/libde265/build/libde265/libde265.so+0x1e3875)#13 0x7fc9f251d5b0 in read_slice_segment_data(thread_context*) (/root/1115/libde265/build/libde265/libde265.so+0x1e55b0)#14 0x7fc9f2470156 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x138156)#15 0x7fc9f2470959 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x138959)#16 0x7fc9f246f5fd in decoder_context::decode_some(bool*) (/root/1115/libde265/build/libde265/libde265.so+0x1375fd)#17 0x7fc9f246f347 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/root/1115/libde265/build/libde265/libde265.so+0x137347)#18 0x7fc9f2471ea6 in decoder_context::decode_NAL(NAL_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x139ea6)#19 0x7fc9f2472503 in decoder_context::decode(int*) (/root/1115/libde265/build/libde265/libde265.so+0x13a503)#20 0x7fc9f2458630 in de265_decode (/root/1115/libde265/build/libde265/libde265.so+0x120630)#21 0x5568ea7e8a69 in main (/root/1115/libde265/build/dec265/dec265+0x7a69)#22 0x7fc9f1e1e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)#23 0x5568ea7e67ed in _start (/root/1115/libde265/build/dec265/dec265+0x57ed)
0x61b000001438 is located 48 bytes to the right of 1416-byte region [0x61b000000e80,0x61b000001408)
allocated by thread T0 here:
#0 0x7fc9f2778587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104#1 0x7fc9f246e9b5 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/root/1115/libde265/build/libde265/libde265.so+0x1369b5)#2 0x7fc9f2471ea6 in decoder_context::decode_NAL(NAL_unit*) (/root/1115/libde265/build/libde265/libde265.so+0x139ea6)#3 0x7fc9f2472503 in decoder_context::decode(int*) (/root/1115/libde265/build/libde265/libde265.so+0x13a503)#4 0x7fc9f2458630 in de265_decode (/root/1115/libde265/build/libde265/libde265.so+0x120630)#5 0x5568ea7e8a69 in main (/root/1115/libde265/build/dec265/dec265+0x7a69)#6 0x7fc9f1e1e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/root/1115/libde265/build/libde265/libde265.so+0x19e989) in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
Shadow bytes around the buggy address:
0x0c367fff8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fff8270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff8280: 00 fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
0x0c367fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fff82d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1277113==ABORTING
description
heap-buffer-overflow in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
version
Replay
You'll need to try a few more times for this vulnerability to appear, usually within 20 times
ASAN
POC
https://github.com/windwithshadow/poc/tree/main/libde265/poc1
Environment
The text was updated successfully, but these errors were encountered: