hi,

i use -d option to dump headers while decoding a stream with multiple tiles and one slice per frame...but when i see the info, i see multiple slices, even if i decode one frame (using option -f 1) ....for example i decode one frame with one slice and 4 tiles....shouldn't i see 1 slice and 3 entry points? Instead there seem to be 4 slices info with respective entry points

I've been using the prebuild dec265 for decoding encoded binaries (.bin) videos. I saw that the acceleration-speed folder has methods for computing the DCT coefficients, however the make fails for acceleration-speed for me. Is there any way I can perhaps call a function via dec265 itself, so it writes all the DCT coefficients in a file as it runs the video?

Travis is no longer green on master after commit 0338ac5: https://travis-ci.org/strukturag/libde265/builds/85284996

Also the fuzzing streams are failing after commit 8ec4e93: https://travis-ci.org/strukturag/libde265/builds/85519474

Please check and make sure to keep Travis green/stable at least on the master branch in the future.

Hi All,

I try to use libde265 decoder our company compressed video, which can be downloaded here (https://github.com/qyljcy/libde265/blob/master/testvideo/GangnamStyle-480p.mp4). It compressed by X265

But no video output. The video can display well in ffmpeg or OpenHEVC, why not de265?

I try to use modified ffmpeg(https://github.com/farindk/ffmpeg), but this ffmpeg version is too low.

Hope some expert can help me to check it.

Best regards, Jesse

This PR adds parentheses to prevent the use of the max define. We use this library inside the @ImageMagick project and our build fails without these changes.

I have looked at a few source files for your current software. I have noticed that some checks for return codes are missing.

Would you like to add more error handling for return values from functions like the following?

• fopen ⇒ main
• calloc ⇒ de265_new_decoder

threads.cc:213:14: warning: converting to non-pointer type 'DWORD' {aka 'long unsigned int'} from NULL [-Wconversion-null] 213 | return NULL; | ^~~~ threads.cc:241:10: warning: converting to non-pointer type 'DWORD' {aka 'long unsigned int'} from NULL [-Wconversion-null] 241 | return NULL; | ^~~~

This PR changes std::min to libde265_min and std::max to libde265_max. We use this library inside the @ImageMagick project and our build fails without these changes.

The @ImageMagick project is using https://github.com/google/oss-fuzz to find bugs in our own library and in libraries that we use. The fuzzer found an issue and we think this is an issue that should be resolved in the library that we use. This issue is posted under the url https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7706 that is not publicly visible yet but added as a link for future reference. Below are the details of the issue that can be reproduced using the following technique: https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md

Stacktrace:

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100003bf38 at pc 0x000000c3b3bd bp 0x7fff79e998d0 sp 0x7fff79e998c8
--
  | WRITE of size 4 at 0x62100003bf38 thread T0
  | SCARINESS: 36 (4-byte-write-heap-buffer-overflow)
  | #0 0xc3b3bc in decoder_context::process_reference_picture_set(slice_segment_header*) libde265/libde265/decctx.cc:1688:24
  | #1 0xc336f1 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) libde265/libde265/decctx.cc:2064:7
  | #2 0xc31f47 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:639:7
  | #3 0xc3716c in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1230:11
  | #4 0xc376a7 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1318:16
  | #5 0xad3b06 in decodeH265Image imagemagick/coders/heic.c:933:11
  | #6 0xad1b2e in ReadHEICImage imagemagick/coders/heic.c:1176:9
  | #7 0x6ced88 in ReadImage imagemagick/MagickCore/constitute.c:500:13
  | #8 0x669ba5 in BlobToImage imagemagick/MagickCore/blob.c:469:13
  | #9 0x5b58f2 in Magick::Image::read(Magick::Blob const&) imagemagick/Magick++/lib/Image.cpp:4015:12
  | #10 0x52984e in LLVMFuzzerTestOneInput imagemagick/Magick++/fuzz/encoder_fuzzer.cc:46:11
  | #11 0x553561 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13
  | #12 0x52a60a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
  | #13 0x535fbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:703:9
  | #14 0x529cac in main /src/libfuzzer/FuzzerMain.cpp:20:10
  | #15 0x7ff2a6e3a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
  | #16 0x41e868 in _start
  |  
  | 0x62100003bf38 is located 0 bytes to the right of 4664-byte region [0x62100003ad00,0x62100003bf38)
  | allocated by thread T0 here:
  | #0 0x525288 in operator new(unsigned long) _asan_rtl_
  | #1 0xc2c4f7 in de265_new_decoder libde265/libde265/de265.cc:218:26
  | #2 0xad1336 in ReadHEICImage imagemagick/coders/heic.c:1145:17
  | #3 0x6ced88 in ReadImage imagemagick/MagickCore/constitute.c:500:13
  | #4 0x669ba5 in BlobToImage imagemagick/MagickCore/blob.c:469:13
  | #5 0x5b58f2 in Magick::Image::read(Magick::Blob const&) imagemagick/Magick++/lib/Image.cpp:4015:12
  | #6 0x52984e in LLVMFuzzerTestOneInput imagemagick/Magick++/fuzz/encoder_fuzzer.cc:46:11
  | #7 0x553561 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:517:13
  | #8 0x52a60a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
  | #9 0x535fbb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:703:9
  | #10 0x529cac in main /src/libfuzzer/FuzzerMain.cpp:20:10
  | #11 0x7ff2a6e3a82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291
  |  
  | SUMMARY: AddressSanitizer: heap-buffer-overflow (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_imagemagick_6c758f2561112e17568a05126726c2ca513bfabc/revisions/encoder_heic_fuzzer+0xc3b3bc)
  | Shadow bytes around the buggy address:
  | 0x0c427ffff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  | 0x0c427ffff7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  | 0x0c427ffff7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  | 0x0c427ffff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  | 0x0c427ffff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  | =>0x0c427ffff7e0: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
  | 0x0c427ffff7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  | 0x0c427ffff800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  | 0x0c427ffff810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  | 0x0c427ffff820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  | 0x0c427ffff830: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  | Shadow byte legend (one shadow byte represents 8 application bytes):
  | Addressable:           00
  | Partially addressable: 01 02 03 04 05 06 07
  | Heap left redzone:       fa
  | Freed heap region:       fd
  | Stack left redzone:      f1
  | Stack mid redzone:       f2
  | Stack right redzone:     f3
  | Stack after return:      f5
  | Stack use after scope:   f8
  | Global redzone:          f9
  | Global init order:       f6
  | Poisoned by user:        f7
  | Container overflow:      fc
  | Array cookie:            ac
  | Intra object redzone:    bb
  | ASan internal:           fe
  | Left alloca redzone:     ca
  | Right alloca redzone:    cb
  | ==1==ABORTING

Links: https://github.com/strukturag/libde265/blob/5c0a672f20d944b3a16aabdb373f0c0736aab3bb/libde265/decctx.cc#L1688 https://github.com/strukturag/libde265/blob/5c0a672f20d944b3a16aabdb373f0c0736aab3bb/libde265/de265.cc#L218

Commit: 5c0a672f20d944b3a16aabdb373f0c0736aab3bb Testcase file: clusterfuzz-testcase-minimized-encoder_heic_fuzzer-5918050164408320.zip

I'm on Windows, and I have CMAKE, MAKE, arm-none-eabi, and a GCC compiler installed, and I'm trying to compile for an ARM11 device. (No, I can't compile on the device, it's not running Linux.)

I need to decode H.265 video streaming over the local network on the device, and it doesn't have hardware h264 or h265 support. (It does however have hardware YUV <-> RGB, which is useful.)

The video is being muxed and demuxed in a custom audio/video format I wrote (I'll put it on GitHub when it's finished), because I got fed up with MP4 and MOV refusing to stream properly.

I tried just adding the 'libde265' folder to my project and compiling, but that didn't work.

First problem, my compiler isn't configured to recognize '.cc' extension, so I wrote a script to rename '.cc' to '.cpp' ('cause I like writing scripts.) The includes were written like #include <libde265/whatever.h>, so the compiler couldn't find the files. I wrote a script to fix that as well, which seemed to work. de265-version.h is missing, so I renamed de265-version.h.in to de265-version.h and manually put the version where it clearly goes. But even after all that, the compilation errors just kept piling up, so eventually I just gave up trying to solve them. Obviously, the library isn't meant to be compiled this way.

So then, how is it supposed to be compiled? I tried the instructions in the Build section of the README, but cmake just generates a bunch of useless garbage in the build folder, and make says it couldn't find a Makefile.

The following error happens when trying to build libde265 1.0.2 on FreeBSD.

The newer FreeBSD releases use Clang as the default compiler, which give the error below. I have tested a old FreeBSD that still has GCC as default compiler build this code fine without any changes.

Disabling the #define in libde265/util.h fixes the build but I'm not sure that it is the right thing to do.

/bin/sh ../../../libtool --tag=CXX --mode=compile c++ -DHAVE_CONFIG_H -I. -I../../.. -I../.. -pipe -g -fstack-protector -fno-strict-aliasing -Werror=return-type -Werror=unused-result -Werror=reorder -std=gnu++11 -DDE265_LOG_ERROR -MT libde265_encoder_algo_la-algo.lo -MD -MP -MF .deps/libde265_encoder_algo_la-algo.Tpo -c -o libde265_encoder_algo_la-algo.lo test -f 'algo.cc' || echo './'algo.cc libtool: compile: c++ -DHAVE_CONFIG_H -I. -I../../.. -I../.. -pipe -g -fstack-protector -fno-strict-aliasing -Werror=return-type -Werror=unused-result -Werror=reorder -std=gnu++11 -DDE265_LOG_ERROR -MT libde265_encoder_algo_la-algo.lo -MD -MP -MF .deps/libde265_encoder_algo_la-algo.Tpo -c algo.cc -fPIC -DPIC -o .libs/libde265_encoder_algo_la-algo.o In file included from algo.cc:23: In file included from ../../../libde265/encoder/algo/algo.h:26: In file included from ../../../libde265/encoder/encode.h:26: ../../../libde265/image.h:86:26: error: use of undeclared identifier 'NULL' MetaDataArray() { data=NULL; data_size=0; log2unitSize=0; width_in_uni... ^ /usr/include/sys/_null.h:35:14: note: expanded from macro 'NULL'

define NULL nullptr

            ^

../../../libde265/util.h:75:17: note: expanded from macro 'nullptr'

define nullptr NULL

            ^

Description

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int)

Version info

 dec265  v1.0.9
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 653.bin

ASAN

WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
SPS error: TB > CB
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
=================================================================
==732766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000007d8 at pc 0x7ff23d2ac50e bp 0x7ffce559d1f0 sp 0x7ffce559d1e0
WRITE of size 2 at 0x6070000007d8 thread T0
    #0 0x7ff23d2ac50d in de265_image::set_SliceAddrRS(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1ec50d)
    #1 0x7ff23d29fb85 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfb85)
    #2 0x7ff23d2a8f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
    #3 0x7ff23d2aac3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
    #4 0x7ff23d1fde6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
    #5 0x7ff23d1fe673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
    #6 0x7ff23d1fd311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
    #7 0x7ff23d200345 in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140345)
    #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
    #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
    #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #11 0x7ff23cb8ee3f in __libc_start_main_impl ../csu/libc-start.c:392
    #12 0x564bf4c027c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)

0x6070000007d8 is located 0 bytes to the right of 72-byte region [0x607000000790,0x6070000007d8)
allocated by thread T0 here:
    #0 0x7ff23d50d867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7ff23d2490b4 in MetaDataArray<CTB_info>::alloc(int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1890b4)
    #2 0x7ff23d245381 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x185381)
    #3 0x7ff23d2279fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
    #4 0x7ff23d206b0d in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x146b0d)
    #5 0x7ff23d1fc970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
    #6 0x7ff23d1ffbe6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
    #7 0x7ff23d20024c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
    #8 0x7ff23d1e63f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
    #9 0x564bf4c049a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
    #10 0x7ff23cb8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow (libde265/build/libde265/libde265.so+0x1ec50d) in de265_image::set_SliceAddrRS(int, int, int)
Shadow bytes around the buggy address:
  0x0c0e7fff80a0: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff80b0: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff80d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff80e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
=>0x0c0e7fff80f0: fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c0e7fff8100: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff8110: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x0c0e7fff8120: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==732766==ABORTING

POC

653.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

Description

heap-buffer-overflow (libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)

Version info

 dec265  v1.0.9
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 653.bin

ASAN

WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
WARNING: non-existing PPS referenced
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: maximum number of reference pictures exceeded
=================================================================
==733371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00000d190 at pc 0x7f929c8bfbbc bp 0x7ffcdcf97080 sp 0x7ffcdcf97070
READ of size 16 at 0x61b00000d190 thread T0
    #0 0x7f929c8bfbbb in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb)
    #1 0x7f929c7b249f in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a949f)
    #2 0x7f929c7b35a7 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa5a7)
    #3 0x7f929c7a4a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
    #4 0x7f929c7b1a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
    #5 0x7f929c7ef80b in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e680b)
    #6 0x7f929c7f1762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
    #7 0x7f929c7f1675 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8675)
    #8 0x7f929c7f1610 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8610)
    #9 0x7f929c7f15a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
    #10 0x7f929c7e8d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
    #11 0x7f929c7f1f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
    #12 0x7f929c7f3c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
    #13 0x7f929c746e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
    #14 0x7f929c747673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
    #15 0x7f929c746311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
    #16 0x7f929c74605b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
    #17 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
    #18 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
    #19 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
    #20 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
    #21 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #22 0x7f929c0d7e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #23 0x5613fc12f7c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)

0x61b00000d190 is located 0 bytes to the right of 1552-byte region [0x61b00000cb80,0x61b00000d190)
allocated by thread T0 here:
    #0 0x7f929ca5755c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
    #1 0x7f929c78aa61 in ALLOC_ALIGNED(unsigned long, unsigned long) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x181a61)
    #2 0x7f929c78b202 in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x182202)
    #3 0x7f929c78d66b in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x18466b)
    #4 0x7f929c7709fa in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1679fa)
    #5 0x7f929c749fd4 in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x140fd4)
    #6 0x7f929c74cee1 in decoder_context::process_reference_picture_set(slice_segment_header*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x143ee1)
    #7 0x7f929c75046a in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14746a)
    #8 0x7f929c745970 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13c970)
    #9 0x7f929c748be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
    #10 0x7f929c74924c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
    #11 0x7f929c72f3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
    #12 0x5613fc1319a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
    #13 0x7f929c0d7d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x2b6bbb) in ff_hevc_put_hevc_qpel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, short*)
Shadow bytes around the buggy address:
  0x0c367fff99e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff99f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fff9a30: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff9a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fff9a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==733371==ABORTING

POC

660.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

Description

stack-buffer-overflow (libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback(short*, long, unsigned short const*, long, int, int, short*, int, int, int)

Version info

 dec265  v1.0.9
--------------
usage: dec265 [options] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

Reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc.bin

ASAN

WARNING: coded parameter out of range
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: maximum number of reference pictures exceeded
WARNING: faulty reference picture list
WARNING: non-existing PPS referenced
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: maximum number of reference pictures exceeded
WARNING: CTB outside of image area (concealing stream error...)
WARNING: non-existing PPS referenced
=================================================================
==3829==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffea52d35f at pc 0x7f8966bd5305 bp 0x7fffea52ac00 sp 0x7fffea52abf0
READ of size 2 at 0x7fffea52d35f thread T0
    #0 0x7f8966bd5304 in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304)
    #1 0x7f8966bd08c2 in put_qpel_1_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1788c2)
    #2 0x7f8966c0152e in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a952e)
    #3 0x7f8966c02c0f in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aac0f)
    #4 0x7f8966bf3a8b in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x19ba8b)
    #5 0x7f8966c00a2e in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1a8a2e)
    #6 0x7f8966c3dd2a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e5d2a)
    #7 0x7f8966c3f774 in read_coding_unit(thread_context*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e7774)
    #8 0x7f8966c40762 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8762)
    #9 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
    #10 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
    #11 0x7f8966c405a3 in read_coding_quadtree(thread_context*, int, int, int, int) [clone .localalias] (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e85a3)
    #12 0x7f8966c37d49 in read_coding_tree_unit(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1dfd49)
    #13 0x7f8966c40f06 in decode_substream(thread_context*, bool, bool) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1e8f06)
    #14 0x7f8966c42c3f in read_slice_segment_data(thread_context*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1eac3f)
    #15 0x7f8966b95e6f in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13de6f)
    #16 0x7f8966b96673 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13e673)
    #17 0x7f8966b95311 in decoder_context::decode_some(bool*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d311)
    #18 0x7f8966b9505b in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13d05b)
    #19 0x7f8966b97be6 in decoder_context::decode_NAL(NAL_unit*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x13fbe6)
    #20 0x7f8966b9824c in decoder_context::decode(int*) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x14024c)
    #21 0x7f8966b7e3f2 in de265_decode (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1263f2)
    #22 0x562ac9c989a5 in main (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x79a5)
    #23 0x7f8966526d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #24 0x7f8966526e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #25 0x562ac9c967c4 in _start (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/dec265/dec265+0x57c4)

Address 0x7fffea52d35f is located in stack of thread T0 at offset 9391 in frame
    #0 0x7f8966c02203 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x1aa203)

  This frame has 2 object(s):
    [48, 9136) 'mcbuffer' (line 71)
    [9392, 15072) 'padbuf' (line 129) <== Memory access at offset 9391 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/sumuchuan/Desktop/libde265_fuzz/libde265/build/libde265/libde265.so+0x17d304) in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
Shadow bytes around the buggy address:
  0x10007d49da10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d49da20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d49da30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d49da40: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x10007d49da50: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
=>0x10007d49da60: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2[f2]00 00 00 00
  0x10007d49da70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d49da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d49da90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d49daa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007d49dab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3829==ABORTING

POC

poc.zip

Impact

Potentially causing DoS and RCE

Credit

Xdchase

(as e.g mc_chroma is using the sps to determine picture properties, like pic_width_in_luma_samples and pic_height_in_luma_samples, I think this is more correct.

This PR is for discussion. (See #345.) It makes the failures go away, but that does not mean it's correct :)

The following poc will be stop failing if (only) this patch is applied:

• poc2 #336 - CVE-2022-43238
• poc4 #338 - CVE-2022-43241
• poc6-1, poc6-2 #340 - CVE-2022-43242
• poc7-1, poc7-2 #341 - CVE-2022-43239
• poc8-1 #342 - CVE-2022-43244
• poc9-3 #343 - CVE-2022-43236
• poc10-2, poc10-3 #344 - CVE-2022-43237
• poc16 #350
• poc19 #353

The following are still failing if only this patch is applied, but they stop failing if #365 is applied as well, but will still fail with ONLY #365 applied (IOW, both are needed)

• poc1 #335 - CVE-2022-43240
• poc3 #337 - CVE-2022-43235
• poc5 #339 - CVE-2022-43423
• poc9-1,poc9-2, poc9-4 #343 - CVE-2022-43236
• poc14 #348 - CVE-2022-43253
• poc15 #349 - CVE-2022-43248
• poc17-1, poc17-2 #351
• poc18 #352 - CVE-2022-43245

See #345 for my analysis and details…

(This PR is just for discussion.)

(The CVE references are obtained from the Debian security tracker, which links the issues.)

This makes the following POCs stop failing:

• poc3 (#337)
• poc7-1 (#341) CVE-2022-43239 (note: does NOT fix poc7-2)
• poc8-2, poc8-3, poc8-4 (#342) CVE-2022-43244 (note: does NOT fix poc8-1)
• poc11-1, poc11-2 (#345) CVE-2022-43249
• poc12 (#346)
• poc13 (#347) CVE-2022-43252
• poc16 (#350)