Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671976fcc-master, allows attackers to execute arbitrary code and cause a denial of service (DoS) via str2ulong class in src/media_tools/avilib.c in gpac/MP4Box.

**heap-buffer-overflow in str2ulong src/media\_tools/avilib.c:137:16 in gpac/MP4Box****Description**

Heap-buffer-overflow in MP4Box.  
#0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16

**Version**

MP4Box - GPAC version 2.3-DEV-rev617-g671976fcc-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC\_CONFIG\_LINUX GPAC\_64\_BITS GPAC\_HAS\_IPV6 GPAC\_HAS\_SSL GPAC\_HAS\_SOCK\_UN GPAC\_MINIMAL\_ODF GPAC\_HAS\_QJS GPAC\_HAS\_JPEG GPAC\_HAS\_PNG GPAC\_HAS\_FFMPEG GPAC\_HAS\_VORBIS GPAC\_HAS\_LINUX\_DVB

**ASAN Log**

./MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

\=================================================================
==1173259==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001a330 at pc 0x7ffff694c442 bp 0x7ffffffeea70 sp 0x7ffffffeea68
READ of size 1 at 0x62100001a330 thread T0
    #0 0x7ffff694c441 in str2ulong /afltest/gpac2/src/media\_tools/avilib.c:137:16
    #1 0x7ffff694c441 in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:2004:9
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2
    #3 0x7ffff6f9d3f3 in avidmx\_process /afltest/gpac2/src/filters/dmx\_avi.c:492:14
    #4 0x7ffff6e8f502 in gf\_filter\_process\_task /afltest/gpac2/src/filter\_core/filter.c:2971:7
    #5 0x7ffff6e62ee9 in gf\_fs\_thread\_proc /afltest/gpac2/src/filter\_core/filter\_session.c:2105:3
    #6 0x7ffff6e6193d in gf\_fs\_run /afltest/gpac2/src/filter\_core/filter\_session.c:2405:3
    #7 0x7ffff67a625c in gf\_dasher\_process /afltest/gpac2/src/media\_tools/dash\_segmenter.c:1236:6
    #8 0x50dfc7 in do\_dash /afltest/gpac2/applications/mp4box/mp4box.c:4831:15
    #9 0x50dfc7 in mp4box\_main /afltest/gpac2/applications/mp4box/mp4box.c:6245:7
    #10 0x7ffff58cb082 in \_\_libc\_start\_main /build/glibc-BHL3KM/glibc-2.31/csu/../csu/libc-start.c:308:16
    #11 0x42adad in \_start (/afltest/gpac2/bin/gcc/MP4Box+0x42adad)

0x62100001a330 is located 0 bytes to the right of 4656-byte region \[0x621000019100,0x62100001a330)
allocated by thread T0 here:
    #0 0x4a34ed in malloc (/afltest/gpac2/bin/gcc/MP4Box+0x4a34ed)
    #1 0x7ffff6942aae in avi\_parse\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1944:35
    #2 0x7ffff694220a in AVI\_open\_input\_file /afltest/gpac2/src/media\_tools/avilib.c:1840:2

SUMMARY: AddressSanitizer: heap-buffer-overflow /afltest/gpac2/src/media\_tools/avilib.c:137:16 in str2ulong
Shadow bytes around the buggy address:
  0x0c427fffb410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
\=>0x0c427fffb460: 00 00 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c427fffb470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==1173259\==ABORTING

**Reproduction**

git clone https://github.com/gpac/gpac.git
cd gpac
./configure --enable-sanitizer
make -j24

./bin/gcc/MP4Box -dash 500 -check-xml -dm2ts -bin -out /dev/null poc6gpac

_Thanks_ _for_ _your_ _time_!

**PoC**

poc6gpac: poc6gpac.zip

****Impact****

This vulnerability is capable of causing crashes, or possible code execution.

**Reference**

https://github.com/gpac/gpac

**Environment**

    ubuntu:20.04
    gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
    clang version 10.0.0-4ubuntu1
    afl-cc++4.09
    

**Credit**

Zeng Yunxiang

Song Jiaxuan

CVE-2023-46932: heap-buffer-overflow in str2ulong src/media_tools/avilib.c:137:16 in gpac/MP4Box · Issue #2669 · gpac/gpac

Ubuntu Security Notice 6542-1 - Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6542-1December 07, 2023tinyxml vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTS- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:TinyXML could be made to crash if it opened a specially craftedfile.Software Description:- tinyxml: A simple, small, minimal, C++ XML parserDetails:Wang Zhong discovered that TinyXML incorrectly handled certain inputs. If auser or an automated system were tricked into opening a specially craftedinput file, a remote attacker could possibly use this issue to cause adenial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:   libtinyxml-dev                  2.6.2-4+deb10u1build0.20.04.1   libtinyxml2.6.2v5               2.6.2-4+deb10u1build0.20.04.1Ubuntu 18.04 LTS (Available with Ubuntu Pro):   libtinyxml-dev                  2.6.2-4ubuntu0.18.04.1~esm1   libtinyxml2.6.2v5               2.6.2-4ubuntu0.18.04.1~esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   libtinyxml-dev                  2.6.2-3ubuntu0.1~esm1   libtinyxml2.6.2v5               2.6.2-3ubuntu0.1~esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6542-1   CVE-2021-42260Package Information:   https://launchpad.net/ubuntu/+source/tinyxml/2.6.2-4+deb10u1build0.20.04.1

Ubuntu Security Notice USN-6542-1

libheif v1.17.5 was discovered to contain a segmentation violation via the component /libheif/exif.cc.

**Description**

SEGV libheif/libheif/exif.cc:55 in read16

**Version**

     heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

    ==1926429==ERROR: AddressSanitizer: SEGV on unknown address 0x60b080000729 (pc 0x55abe2b1012c bp 0x000000000000 sp 0x7ffe0b2df5a0 T0)
    ==1926429==The signal is caused by a READ memory access.
        #0 0x55abe2b1012c in read16 /eva/put/libheif/libheif/exif.cc:55
        #1 0x55abe2b1012c in find_exif_tag /eva/put/libheif/libheif/exif.cc:103
        #2 0x55abe2b1136b in modify_exif_tag_if_it_exists(unsigned char*, int, unsigned short, unsigned short) /eva/put/libheif/libheif/exif.cc:124
        #3 0x55abe2b1136b in modify_exif_orientation_tag_if_it_exists(unsigned char*, int, unsigned short) /eva/put/libheif/libheif/exif.cc:140
        #4 0x55abe2b16c75 in PngEncoder::Encode(heif_image_handle const*, heif_image const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /eva/put/libheif/examples/encoder_png.cc:126
        #5 0x55abe2b00c99 in main /eva/put/libheif/examples/heif_convert.cc:509
        #6 0x7fb15dc29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #7 0x7fb15dc29e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #8 0x55abe2b09254 in _start (/eva/asan-bin/NestFuzz/libheif/heif-convert+0x15254)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /eva/put/libheif/libheif/exif.cc:55 in read16
    ==1926429==ABORTING
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49462: SEGV libheif/libheif/exif.cc:55 in read16 · Issue #1043 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci.

**Description**

heap-use-after-free/SEGV/heap-buffer-overflow libheif/libheif/uncompressed_image.cc:537 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci

**Version**

    commit: 64ece913266609789f5dc70fe7de9eb759badd7f
    
    heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

> I just show the uaf case, you can use my poc to reproduce the others.

    ==88148==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000000910 at pc 0x7f7a88d9ab47 bp 0x7ffef17996e0 sp 0x7ffef17996d0
    READ of size 2 at 0x60e000000910 thread T0
        #0 0x7f7a88d9ab46 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int) libheif/libheif/uncompressed_image.cc:537
        #1 0x7f7a88c96f95 in HeifFile::get_luma_bits_per_pixel_from_configuration(unsigned int) const libheif/libheif/file.cc:609
        #2 0x7f7a88c58d54 in HeifContext::Image::get_luma_bits_per_pixel() const libheif/libheif/context.cc:1225
        #3 0x7f7a88c1abf7 in heif_image_handle_get_luma_bits_per_pixel libheif/libheif/heif.cc:846
        #4 0x55fa40c34835 in main libheif/examples/heif_convert.cc:475
        #5 0x7f7a88694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #6 0x55fa40c2fadd in _start (libheif/build/examples/heif-convert+0xbadd)
    
    0x60e000000910 is located 16 bytes inside of 160-byte region [0x60e000000900,0x60e0000009a0)
    freed by thread T0 here:
        #0 0x7f7a88f6c0d0 in operator delete(void*) (/lib/x86_64-linux-gnu/libasan.so.4+0xe20d0)
        #1 0x7f7a88c038d9 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >::deallocate(std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/7/ext/new_allocator.h:125
        #2 0x7f7a88bfef61 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::deallocate(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&, std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>*, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:462
        #3 0x7f7a88bf4553 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::~__allocated_ptr() /usr/include/c++/7/bits/allocated_ptr.h:73
        #4 0x7f7a88c1019d in std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2>::_M_destroy() /usr/include/c++/7/bits/shared_ptr_base.h:543
        #5 0x7f7a88b94163 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/7/bits/shared_ptr_base.h:170
        #6 0x7f7a88b938c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/7/bits/shared_ptr_base.h:684
        #7 0x7f7a88bc23e3 in std::__shared_ptr<Box, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/7/bits/shared_ptr_base.h:1123
        #8 0x7f7a88bc24a3 in std::shared_ptr<Box>::~shared_ptr() /usr/include/c++/7/bits/shared_ptr.h:93
        #9 0x7f7a88be9854 in void std::_Destroy<std::shared_ptr<Box> >(std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:98
        #10 0x7f7a88be4eb8 in void std::_Destroy_aux<false>::__destroy<std::shared_ptr<Box>*>(std::shared_ptr<Box>*, std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:108
        #11 0x7f7a88bdafef in void std::_Destroy<std::shared_ptr<Box>*>(std::shared_ptr<Box>*, std::shared_ptr<Box>*) /usr/include/c++/7/bits/stl_construct.h:137
        #12 0x7f7a88bce3b8 in void std::_Destroy<std::shared_ptr<Box>*, std::shared_ptr<Box> >(std::shared_ptr<Box>*, std::shared_ptr<Box>*, std::allocator<std::shared_ptr<Box> >&) /usr/include/c++/7/bits/stl_construct.h:206
        #13 0x7f7a88bc3acf in std::vector<std::shared_ptr<Box>, std::allocator<std::shared_ptr<Box> > >::~vector() /usr/include/c++/7/bits/stl_vector.h:434
        #14 0x7f7a88bc02f8 in Box::~Box() (libheif/build/libheif/libheif.so.1+0xa22f8)
        #15 0x7f7a88bc053e in FullBox::~FullBox() (libheif/build/libheif/libheif.so.1+0xa253e)
        #16 0x7f7a88c09a8c in Box_meta::~Box_meta() (libheif/build/libheif/libheif.so.1+0xeba8c)
        #17 0x7f7a88c12579 in void __gnu_cxx::new_allocator<Box_meta>::destroy<Box_meta>(Box_meta*) /usr/include/c++/7/ext/new_allocator.h:140
        #18 0x7f7a88c111de in void std::allocator_traits<std::allocator<Box_meta> >::destroy<Box_meta>(std::allocator<Box_meta>&, Box_meta*) /usr/include/c++/7/bits/alloc_traits.h:487
        #19 0x7f7a88c10310 in std::_Sp_counted_ptr_inplace<Box_meta, std::allocator<Box_meta>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() /usr/include/c++/7/bits/shared_ptr_base.h:535
        #20 0x7f7a88b940ec in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() /usr/include/c++/7/bits/shared_ptr_base.h:154
        #21 0x7f7a88b938c3 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() /usr/include/c++/7/bits/shared_ptr_base.h:684
        #22 0x7f7a88bc23e3 in std::__shared_ptr<Box, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() /usr/include/c++/7/bits/shared_ptr_base.h:1123
        #23 0x7f7a88bc24a3 in std::shared_ptr<Box>::~shared_ptr() /usr/include/c++/7/bits/shared_ptr.h:93
        #24 0x7f7a88b9d8b5 in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:436
        #25 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #26 0x7f7a88bab707 in Box_iprp::parse(BitstreamRange&) libheif/libheif/box.cc:1731
        #27 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #28 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #29 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
    
    previously allocated by thread T0 here:
        #0 0x7f7a88f6b258 in operator new(unsigned long) (/lib/x86_64-linux-gnu/libasan.so.4+0xe1258)
        #1 0x7f7a88c038a8 in __gnu_cxx::new_allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >::allocate(unsigned long, void const*) /usr/include/c++/7/ext/new_allocator.h:111
        #2 0x7f7a88bfeeb4 in std::allocator_traits<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >::allocate(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&, unsigned long) /usr/include/c++/7/bits/alloc_traits.h:436
        #3 0x7f7a88bf44b9 in std::__allocated_ptr<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > > std::__allocate_guarded<std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> > >(std::allocator<std::_Sp_counted_ptr_inplace<Box_hdlr, std::allocator<Box_hdlr>, (__gnu_cxx::_Lock_policy)2> >&) /usr/include/c++/7/bits/allocated_ptr.h:104
        #4 0x7f7a88bea393 in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::__shared_count<Box_hdlr, std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, Box_hdlr*, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr_base.h:635
        #5 0x7f7a88be5955 in std::__shared_ptr<Box_hdlr, (__gnu_cxx::_Lock_policy)2>::__shared_ptr<std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr_base.h:1295
        #6 0x7f7a88bdc441 in std::shared_ptr<Box_hdlr>::shared_ptr<std::allocator<Box_hdlr>>(std::_Sp_make_shared_tag, std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr.h:344
        #7 0x7f7a88bcf8a2 in std::shared_ptr<Box_hdlr> std::allocate_shared<Box_hdlr, std::allocator<Box_hdlr>>(std::allocator<Box_hdlr> const&) /usr/include/c++/7/bits/shared_ptr.h:691
        #8 0x7f7a88bc4768 in std::shared_ptr<Box_hdlr> std::make_shared<Box_hdlr>() /usr/include/c++/7/bits/shared_ptr.h:707
        #9 0x7f7a88b9bcf3 in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:448
        #10 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #11 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #12 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #13 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #14 0x7f7a88bab707 in Box_iprp::parse(BitstreamRange&) libheif/libheif/box.cc:1731
        #15 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #16 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #17 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #18 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #19 0x7f7a88b9edac in Box::read_children(BitstreamRange&, int) libheif/libheif/box.cc:749
        #20 0x7f7a88ba14a0 in Box_meta::parse(BitstreamRange&) libheif/libheif/box.cc:920
        #21 0x7f7a88b9d7eb in Box::read(BitstreamRange&, std::shared_ptr<Box>*) libheif/libheif/box.cc:672
        #22 0x7f7a88c9217e in HeifFile::parse_heif_file(BitstreamRange&) libheif/libheif/file.cc:254
        #23 0x7f7a88c8ffc6 in HeifFile::read(std::shared_ptr<StreamReader> const&) libheif/libheif/file.cc:107
        #24 0x7f7a88c8f8c6 in HeifFile::read_from_file(char const*) libheif/libheif/file.cc:88
        #25 0x7f7a88c4b3d7 in HeifContext::read_from_file(char const*) libheif/libheif/context.cc:429
        #26 0x7f7a88c163ff in heif_context_read_from_file libheif/libheif/heif.cc:451
        #27 0x55fa40c33e68 in main libheif/examples/heif_convert.cc:410
        #28 0x7f7a88694082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    
    SUMMARY: AddressSanitizer: heap-use-after-free libheif/libheif/uncompressed_image.cc:537 in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci(HeifFile const&, unsigned int)
    Shadow bytes around the buggy address:
      0x0c1c7fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff80e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c1c7fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c1c7fff8100: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8110: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
    =>0x0c1c7fff8120: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c1c7fff8130: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
      0x0c1c7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
      0x0c1c7fff8150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c1c7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
      0x0c1c7fff8170: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==88148==ABORTING
    

**POC**

*   poc-heap-overflow
*   poc-heap-uaf
*   poc-segv

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49464: heap-use-after-free/SEGV/heap-buffer-overflow in UncompressedImageCodec::get_luma_bits_per_pixel_from_configuration_unci · Issue #1044 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the function find_exif_tag at /libheif/exif.cc.

**Description**

SEGV libheif/libheif/exif.cc:88 in find_exif_tag

**Version**

     heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake --preset=release ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

    =================================================================
    ==216883==ERROR: AddressSanitizer: SEGV on unknown address 0x60b0b184d2bc (pc 0x55f4628c3ca8 bp 0x00004e7b34c8 sp 0x7ffe414d49b0 T0)
    ==216883==The signal is caused by a READ memory access.
        #0 0x55f4628c3ca8 in find_exif_tag eva/put/libheif/libheif/exif.cc:88
        #1 0x55f4628c536b in modify_exif_tag_if_it_exists(unsigned char*, int, unsigned short, unsigned short) eva/put/libheif/libheif/exif.cc:124
        #2 0x55f4628c536b in modify_exif_orientation_tag_if_it_exists(unsigned char*, int, unsigned short) eva/put/libheif/libheif/exif.cc:140
        #3 0x55f4628cac75 in PngEncoder::Encode(heif_image_handle const*, heif_image const*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) eva/put/libheif/examples/encoder_png.cc:126
        #4 0x55f4628b4c99 in main eva/put/libheif/examples/heif_convert.cc:509
        #5 0x7fb342a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #6 0x7fb342a29e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #7 0x55f4628bd254 in _start (eva/put/libheif/build/examples/heif-convert+0x15254)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV eva/put/libheif/libheif/exif.cc:88 in find_exif_tag
    ==216883==ABORTING
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49463: SEGV libheif/libheif/exif.cc:88 in find_exif_tag · Issue #1042 · strukturag/libheif

libheif v1.17.5 was discovered to contain a segmentation violation via the function UncompressedImageCodec::decode_uncompressed_image.

**Description**

AddressSanitizer: SEGV in decode_uncompressed_image

**Version**

    commit: 64ece913266609789f5dc70fe7de9eb759badd7f
    
    heif-convert  libheif version: 1.17.5
    -------------------------------------------
    Usage: heif-convert [options]  <input-image> [output-image]
    
    The program determines the output file format from the output filename suffix.
    These suffixes are recognized: jpg, jpeg, png, y4m. If no output filename is specified, 'jpg' is used.
    
    Options:
      -h, --help                     show help
      -v, --version                  show version
      -q, --quality                  quality (for JPEG output)
      -o, --output FILENAME          write output to FILENAME (optional)
      -d, --decoder ID               use a specific decoder (see --list-decoders)
          --with-aux                 also write auxiliary images (e.g. depth images)
          --with-xmp                 write XMP metadata to file (output filename with .xmp suffix)
          --with-exif                write EXIF metadata to file (output filename with .exif suffix)
          --skip-exif-offset         skip EXIF metadata offset bytes
          --no-colons                replace ':' characters in auxiliary image filenames with '_'
          --list-decoders            list all available decoders (built-in and plugins)
          --quiet                    do not output status messages to console
      -C, --chroma-upsampling ALGO   Force chroma upsampling algorithm (nn = nearest-neighbor / bilinear)
          --png-compression-level #  Set to integer between 0 (fastest) and 9 (best). Use -1 for default.
    

**Replay**

    cd libheif
    mkdir build && cd build
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_UNCOMPRESSED_CODEC=ON ..
    make -j
    ./examples/heif-convert ./poc test.png
    

**ASAN**

    ==89344==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f955d086aeb bp 0x7ffdd923ebb0 sp 0x7ffdd923e318 T0)
    ==89344==The signal is caused by a READ memory access.
    ==89344==Hint: address points to the zero page.
        #0 0x7f955d086aea in memcpy (/lib/x86_64-linux-gnu/libc.so.6+0xbbaea)
        #1 0x7f955d85f4de  (/lib/x86_64-linux-gnu/libasan.so.4+0x7a4de)
        #2 0x7f955d6f8495 in UncompressedImageCodec::decode_uncompressed_image(std::shared_ptr<HeifFile const> const&, unsigned int, std::shared_ptr<HeifPixelImage>&, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&) libheif/libheif/uncompressed_image.cc:758
        #3 0x7f955d5b7304 in HeifContext::decode_image_planar(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_decoding_options const&, bool) const libheif/libheif/context.cc:1452
        #4 0x7f955d5b42a8 in HeifContext::decode_image_user(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const&) const libheif/libheif/context.cc:1248
        #5 0x7f955d5771f4 in heif_decode_image libheif/libheif/heif.cc:1044
        #6 0x55e9351aca11 in main libheif/examples/heif_convert.cc:484
        #7 0x7f955cfef082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #8 0x55e9351a7add in _start (libheif/build/examples/heif-convert+0xbadd)
    

**POC**

*   poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49460: AddressSanitizer: SEGV in `decode_uncompressed_image` · Issue #1046 · strukturag/libheif

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_combined_bipredictive_merging_candidates function at motion.cc.

**Description**

heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)

**Version**

     dec265  v1.0.14
    -----------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Replay**

    cd libde265
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
    make -j
    
    # You need to try running poc several times to see the asan result.
    ./dec265/dec265 ./poc
    

**ASAN**

    =================================================================
    ==3684026==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000000658 at pc 0x5621bef6c512 bp 0x7ffe781d0d70 sp 0x7ffe781d0d60
    READ of size 4 at 0x61b000000658 thread T0
        #0 0x5621bef6c511 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int) eva/put/libde265/libde265/motion.cc:1443
        #1 0x5621bef6d403 in get_merge_candidate_list_without_step_9(base_context*, slice_segment_header const*, MotionVectorAccess const&, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1564
        #2 0x5621bef8da6a in derive_luma_motion_merge_mode(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:1622
        #3 0x5621bef8da6a in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) eva/put/libde265/libde265/motion.cc:2112
        #4 0x5621bef8da6a in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/motion.cc:2195
        #5 0x5621bee53806 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) eva/put/libde265/libde265/slice.cc:4145
        #6 0x5621bee5d5ff in read_coding_unit(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4513
        #7 0x5621bee61e7f in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4647
        #8 0x5621bee61df6 in read_coding_quadtree(thread_context*, int, int, int, int) eva/put/libde265/libde265/slice.cc:4644
        #9 0x5621bee64696 in decode_substream(thread_context*, bool, bool) eva/put/libde265/libde265/slice.cc:4750
        #10 0x5621bee6afc9 in read_slice_segment_data(thread_context*) eva/put/libde265/libde265/slice.cc:5063
        #11 0x5621bed2d8b4 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:854
        #12 0x5621bed34e55 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) eva/put/libde265/libde265/decctx.cc:956
        #13 0x5621bed387eb in decoder_context::decode_some(bool*) eva/put/libde265/libde265/decctx.cc:741
        #14 0x5621bed4a57a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:699
        #15 0x5621bed4c645 in decoder_context::decode_NAL(NAL_unit*) eva/put/libde265/libde265/decctx.cc:1241
        #16 0x5621bed4d508 in decoder_context::decode(int*) eva/put/libde265/libde265/decctx.cc:1329
        #17 0x5621bed0746c in main eva/put/libde265/dec265/dec265.cc:784
        #18 0x7f2636829d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #19 0x7f2636829e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #20 0x5621bed09ce4 in _start (eva/asan-bin/NestFuzz/libde265/dec265+0x1ece4)
    
    0x61b000000658 is located 80 bytes to the right of 1416-byte region [0x61b000000080,0x61b000000608)
    allocated by thread T0 here:
        #0 0x7f26370b61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
        #1 0x5621bed48f17 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) eva/put/libde265/libde265/decctx.cc:635
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow eva/put/libde265/libde265/motion.cc:1443 in derive_combined_bipredictive_merging_candidates(base_context const*, slice_segment_header const*, PBMotion*, int*, int)
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49467: heap-buffer-overflow `libde265/libde265/motion.cc:1443` in `derive_combined_bipredictive_merging_candidates` · Issue #434 · strukturag/libde265

Libde265 v1.0.14 was discovered to contain a global buffer overflow vulnerability in the read_coding_unit function at slice.cc.

**Description**

global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)

**Version**

     dec265  v1.0.14
    -----------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Replay**

    cd libde265
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
    make -j
    ./dec265/dec265 ./poc
    

**ASAN**

    ==1753516==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f6e8318665e at pc 0x7f6e83139f09 bp 0x7fffda7f3620 sp 0x7fffda7f3610
    READ of size 1 at 0x7f6e8318665e thread T0
        #0 0x7f6e83139f08 in read_coding_unit(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4493
        #1 0x7f6e8313abda in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
        #2 0x7f6e8313b941 in decode_substream(thread_context*, bool, bool) libde265/libde265/slice.cc:4750
        #3 0x7f6e8313d29d in read_slice_segment_data(thread_context*) libde265/libde265/slice.cc:5063
        #4 0x7f6e830ca881 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) libde265/libde265/decctx.cc:854
        #5 0x7f6e830cca4d in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) libde265/libde265/decctx.cc:956
        #6 0x7f6e830ccfe5 in decoder_context::decode_some(bool*) libde265/libde265/decctx.cc:741
        #7 0x7f6e830d4ec2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:699
        #8 0x7f6e830d5a4d in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1241
        #9 0x7f6e830d6308 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1329
        #10 0x55b9a8c5fd26 in main libde265/dec265/dec265.cc:784
        #11 0x7f6e81e29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #12 0x7f6e81e29e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #13 0x55b9a8c60ca4 in _start (libde265/dec265/.libs/dec265+0x5ca4)
    
    0x7f6e8318665e is located 14 bytes to the right of global variable 'ctxIdxMap' defined in 'slice.cc:1964:22' (0x7f6e83186640) of size 16
    SUMMARY: AddressSanitizer: global-buffer-overflow libde265/libde265/slice.cc:4493 in read_coding_unit(thread_context*, int, int, int, int)
    Shadow bytes around the buggy address:
      0x0fee50628c70: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 01 f9 f9
      0x0fee50628c80: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 01
      0x0fee50628c90: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 00 00 00 00
      0x0fee50628ca0: 00 00 00 03 f9 f9 f9 f9 00 00 00 00 00 00 00 02
      0x0fee50628cb0: f9 f9 f9 f9 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9
    =>0x0fee50628cc0: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9[f9]f9 f9 f9 f9
      0x0fee50628cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0fee50628d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1753516==ABORTING
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49468: global-buffer-overflow in read_coding_unit · Issue #432 · strukturag/libde265

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derive_spatial_luma_vector_prediction function at motion.cc.

**Description**

heap-buffer-overflow libde265/libde265/motion.cc:1860 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)

**Version**

     dec265  v1.0.14
    -----------------
    usage: dec265 [options] videofile.bin
    The video file must be a raw bitstream, or a stream with NAL units (option -n).
    
    options:
      -q, --quiet       do not show decoded image
      -t, --threads N   set number of worker threads (0 - no threading)
      -c, --check-hash  perform hash check
      -n, --nal         input is a stream with 4-byte length prefixed NAL units
      -f, --frames N    set number of frames to process
      -o, --output      write YUV reconstruction
      -d, --dump        dump headers
      -0, --noaccel     do not use any accelerated code (SSE)
      -v, --verbose     increase verbosity level (up to 3 times)
      -L, --no-logging  disable logging
      -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
      -m, --measure YUV compute PSNRs relative to reference YUV
      -T, --highest-TID select highest temporal sublayer to decode
          --disable-deblocking   disable deblocking filter
          --disable-sao          disable sample-adaptive offset filter
      -h, --help        show help
    

**Replay**

    cd libde265
    CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" ./configure
    make -j
    
    # You need to try running poc several times to see the asan result.
    ./dec265/dec265 ./poc
    

**ASAN**

    ==1982966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000001b10 at pc 0x56501e786954 bp 0x7ffc66164680 sp 0x7ffc66164670
    READ of size 4 at 0x61b000001b10 thread T0
        #0 0x56501e786953 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*) libde265/libde265/motion.cc:1860
        #1 0x56501e787950 in fill_luma_motion_vector_predictors(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, int, MotionVector*) libde265/libde265/motion.cc:1990
        #2 0x56501e79c58a in luma_motion_vector_prediction(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, int, int) libde265/libde265/motion.cc:2063
        #3 0x56501e79c58a in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) libde265/libde265/motion.cc:2155
        #4 0x56501e79c58a in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) libde265/libde265/motion.cc:2195
        #5 0x56501e662806 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) libde265/libde265/slice.cc:4145
        #6 0x56501e66c4cb in read_coding_unit(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4506
        #7 0x56501e670f59 in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
        #8 0x56501e670df6 in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4644
        #9 0x56501e670f59 in read_coding_quadtree(thread_context*, int, int, int, int) libde265/libde265/slice.cc:4650
        #10 0x56501e673696 in decode_substream(thread_context*, bool, bool) libde265/libde265/slice.cc:4750
        #11 0x56501e679fc9 in read_slice_segment_data(thread_context*) libde265/libde265/slice.cc:5063
        #12 0x56501e53c8b4 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) libde265/libde265/decctx.cc:854
        #13 0x56501e543e55 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) libde265/libde265/decctx.cc:956
        #14 0x56501e5477eb in decoder_context::decode_some(bool*) libde265/libde265/decctx.cc:741
        #15 0x56501e55957a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:699
        #16 0x56501e55b645 in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1241
        #17 0x56501e55c508 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1329
        #18 0x56501e51646c in main libde265/dec265/dec265.cc:784
        #19 0x7fd4aa229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
        #20 0x7fd4aa229e3f in __libc_start_main_impl ../csu/libc-start.c:392
        #21 0x56501e518ce4 in _start (eva/asan-bin/NestFuzz/libde265/dec265+0x1ece4)
    
    0x61b000001b10 is located 8 bytes to the right of 1416-byte region [0x61b000001580,0x61b000001b08)
    allocated by thread T0 here:
        #0 0x7fd4aaab61e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
        #1 0x56501e557f17 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) libde265/libde265/decctx.cc:635
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow libde265/libde265/motion.cc:1860 in derive_spatial_luma_vector_prediction(base_context*, de265_image*, slice_segment_header const*, int, int, int, int, int, int, int, int, int, int, unsigned char*, MotionVector*)
    

**POC**

poc

**Environment**

    Description:	Ubuntu 22.04.2 LTS
    gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
    

**Credit**

Yuchuan Meng (Fudan University)

CVE-2023-49465: heap-buffer-overflow `libde265/libde265/motion.cc:1860` in `derive_spatial_luma_vector_prediction` · Issue #435 · strukturag/libde265

strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKE_SA_INIT message.

Tag

#c++