Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow with ASAN in dec265 #460

Open
zhangteng0526 opened this issue Jun 11, 2024 · 0 comments
Open

Heap-buffer-overflow with ASAN in dec265 #460

zhangteng0526 opened this issue Jun 11, 2024 · 0 comments

Comments

@zhangteng0526
Copy link

Dear libde265 developers, I used AFL++ to fuzz test dec265 and found some problems.
To debug a program built with ASan, here is some output

=================================================================
==2426872==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fac97661810 at pc 0x7fac9b8b7490 bp 0x7ffccfc5b3a0 sp 0x7ffccfc5ab48
READ of size 352 at 0x7fac97661810 thread T0
    #0 0x7fac9b8b748f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #1 0x5610bf47d0e0 in SDL_YUV_Display::display420(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:146
    #2 0x5610bf47ec9b in SDL_YUV_Display::display(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:107
    #3 0x5610bf47afd3 in display_sdl(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:310
    #4 0x5610bf47b4c7 in output_image(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:353
    #5 0x5610bf4786a9 in main /home/zt/cnvd/libde265/dec265/dec265.cc:802
    #6 0x7fac9af00082 in __libc_start_main ../csu/libc-start.c:308
    #7 0x5610bf47a6ad in _start (/home/zt/cnvd/libde265/install/bin/dec265+0x86ad)

0x7fac97661810 is located 0 bytes to the right of 131088-byte region [0x7fac97641800,0x7fac97661810)
allocated by thread T0 here:
    #0 0x7fac9b92a6e5 in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:217
    #1 0x7fac9b517b47 in ALLOC_ALIGNED /home/zt/cnvd/libde265/libde265/image.cc:55
    #2 0x7fac9b517b47 in de265_image_get_buffer /home/zt/cnvd/libde265/libde265/image.cc:129

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0ff612ec42b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff612ec42c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff612ec42d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff612ec42e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff612ec42f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff612ec4300: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff612ec4310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff612ec4320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff612ec4330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff612ec4340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff612ec4350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2426872==ABORTING


==2426808==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000035b80 at pc 0x5600b53a49fe bp 0x7ffc3b49c8b0 sp 0x7ffc3b49c8a0
WRITE of size 1 at 0x61d000035b80 thread T0
    #0 0x5600b53a49fd in SDL_YUV_Display::display444as420(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:257
    #1 0x5600b53a4cdb in SDL_YUV_Display::display(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:113
    #2 0x5600b53a0fd3 in display_sdl(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:310
    #3 0x5600b53a14c7 in output_image(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:353
    #4 0x5600b539e6a9 in main /home/zt/cnvd/libde265/dec265/dec265.cc:802
    #5 0x7f1c660dc082 in __libc_start_main ../csu/libc-start.c:308
    #6 0x5600b53a06ad in _start (/home/zt/cnvd/libde265/install/bin/dec265+0x86ad)

0x61d000035b80 is located 0 bytes to the right of 2304-byte region [0x61d000035280,0x61d000035b80)
allocated by thread T0 here:
    #0 0x7f1c66b05a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
    #1 0x7f1c66917485  (/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x74485)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zt/cnvd/libde265/dec265/sdl.cc:257 in SDL_YUV_Display::display444as420(unsigned char const*, unsigned char const*, unsigned char const*, int, int)
Shadow bytes around the buggy address:
  0x0c3a7fffeb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffeb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffeb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffeb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3a7fffeb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffeb70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffeb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffeb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffeba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffebb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fffebc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2426808==ABORTING

Crash input:

poc.zip
poc1.zip

Validation steps

git clone https://github.com/strukturag/libde265.git
cd libde265/
./autogen.sh
CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure --prefix="$HOME/libde265/install/"
make -j$(nproc)
make install
cd $HOME/libde265/install/bin

./dec265 poc

environment

Ubuntu 20.04 LTS
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhangteng0526