Mahara 21.04 before 21.04.7, 21.10 before 21.10.5, 22.04 before 22.04.3, and 22.10 before 22.10.0 potentially allow a PDF export to trigger a remote shell if the site is running on Ubuntu and the flag -dSAFER is not set with Ghostscript.

**Vulnerable PDF can trigger remote shell with PDF export and ghostscript**

Bug #1979575 reported by Robert Lyon on 2022-06-22

This bug affects 1 person

Affects

Status

Importance

Assigned to

Milestone

Mahara

Status tracked in 22.10

21.04

Fix Released

Medium

Unassigned

Mahara 21.04.7

21.10

Fix Released

Medium

Unassigned

Mahara 21.10.5

22.04

Fix Released

Medium

Unassigned

Mahara 22.04.3

22.10

Fix Released

Medium

Unassigned

Mahara 22.10.0

**Bug Description**

The problem is Ubuntu 18.04 servers require the use of the flag -dSAFER with ghostscript, otherwise if you submit a vulnerable PDF you can trigger a remote shell.

In Mahara, ghostscript can be used to combine generated pdfs for pdf export.

As it's not the default way to combine pds and the fact that pdf export is not used by most systems I will mark this as a medium security issue.

CVE-2022-44544: Bug #1979575 “Vulnerable PDF can trigger remote shell with PDF e...” : Bugs : Mahara

jhead 3.06 is vulnerable to Buffer Overflow via exif.c in function Put16u.

Hi jhead Team  
I found an overflow error.

System info：  
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0  
Fedora 33: clang 11.0.0 , gcc 10.2.1

    OBJ=obj
    SRC=.
    CFLAGS:=$(shell dpkg-buildflags --get CFLAGS) -fsanitize=address
    LDFLAGS:=$(shell dpkg-buildflags --get LDFLAGS) -fsanitize=address
    

    $ ./jhead -autorot jhead_poc
    

onfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 23000004

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Illegal value pointer for tag 9204 in Exif

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Illegally sized Exif makernote subdir (44288 entries)

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 30003

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 4a003

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 5a20e

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 5a28d

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Illegal number format 512 for tag 0438 in Exif

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 10003

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 10007

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Extraneous 593 padding bytes before section E1

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Undefined rotation value 65281 in Exif

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 464946

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 11e1ff00

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Bad components count 2a004d

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Illegal number format 15 for tag 010a in Exif

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Illegal number format 16 for tag 0186 in Exif

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Illegal number format 18 for tag 0198 in Exif

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Illegal subdirectory link in Exif header

Nonfatal Error : 'out\_jpgs/default/crashes/poc' Extraneous 10 padding bytes before section DD
=================================================================
==409516==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0000006b2 at pc 0x00000031c8b8 bp 0x7ffc86175450 sp 0x7ffc86175448
WRITE of size 1 at 0x61a0000006b2 thread T0
    #0 0x31c8b7 in Put16u exif.c
    #1 0x31c8b7 in ClearOrientation exif.c:1248:17
    #2 0x31c8b7 in DoAutoRotate jhead.c:729:20
    #3 0x31c8b7 in ProcessFile jhead.c:879:17
    #4 0x31c8b7 in main jhead.c:1770:13
    #5 0x7f84881c90b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x260eed in \_start (/home/hh/Downloads/jhead/jhead+0x260eed)

0x61a0000006b2 is located 50 bytes inside of 1164-byte region \[0x61a000000680,0x61a000000b0c)
freed by thread T0 here:
    #0 0x2dca72 in free /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan\_malloc\_linux.cpp:127:3
    #1 0x3237f4 in DiscardAllButExif jpgfile.c:540:13

previously allocated by thread T0 here:
    #0 0x2dccdd in malloc /home/hh/Downloads/llvm-project/compiler-rt/lib/asan/asan\_malloc\_linux.cpp:145:3
    #1 0x320538 in ReadJpegSections jpgfile.c:175:25
    #2 0x32256b in ReadJpegFile jpgfile.c:381:11

SUMMARY: AddressSanitizer: heap-use-after-free exif.c in Put16u
Shadow bytes around the buggy address:
  0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fff80a0: 00 04 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
\=>0x0c347fff80d0: fd fd fd fd fd fd\[fd\]fd fd fd fd fd fd fd fd fd
  0x0c347fff80e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff80f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
\==409516\==ABORTING

CVE-2021-34055: [ Security] heap-buffer-overflow of exif.c in function Put16u · Issue #36 · Matthias-Wandel/jhead

Ubuntu Security Notice 5712-1 - It was discovered that SQLite did not properly handle large string inputs in certain circumstances. An attacker could possibly use this issue to cause a denial of service or arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-5712-1November 03, 2022sqlite3 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESMSummary:SQLite could be made to crash or run programs as your login if itreceived specially crafted input.Software Description:- sqlite3: C library that implements an SQL database engineDetails:It was discovered that SQLite did not properly handle large stringinputs in certain circumstances. An attacker could possibly use thisissue to cause a denial of service or arbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libsqlite3-0                    3.11.0-1ubuntu1.5+esm2   sqlite3                          3.11.0-1ubuntu1.5+esm2In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5712-1   CVE-2022-35737

Ubuntu Security Notice USN-5712-1

Ubuntu Security Notice 5713-1 - Devin Jeanpierre discovered that Python incorrectly handled sockets when the multiprocessing module was being used. A local attacker could possibly use this issue to execute arbitrary code and escalate privileges.

==========================================================================  
Ubuntu Security Notice USN-5713-1  
November 03, 2022

python3.10 vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

Python could be made to run programs if it received specially crafted  
socket connections.

Software Description:  
- python3.10: An interactive high-level object-oriented language

Details:

Devin Jeanpierre discovered that Python incorrectly handled sockets when  
the multiprocessing module was being used. A local attacker could possibly  
use this issue to execute arbitrary code and escalate privileges.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   python3.10                      3.10.7-1ubuntu0.1  
   python3.10-minimal              3.10.7-1ubuntu0.1

Ubuntu 22.04 LTS:  
   python3.10                      3.10.6-1~22.04.1  
   python3.10-minimal              3.10.6-1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5713-1  
   CVE-2022-42919

Package Information:  
   https://launchpad.net/ubuntu/+source/python3.10/3.10.7-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/python3.10/3.10.6-1~22.04.1

Ubuntu Security Notice USN-5713-1

Ubuntu Security Notice 5711-2 - USN-5711-1 fixed a vulnerability in NTFS-3G. This update provides the corresponding update for Ubuntu 14.04 ESM Ubuntu 16.04 ESM. Yuchen Zeng and Eduardo Vela discovered that NTFS-3G incorrectly validated certain NTFS metadata. A local attacker could possibly use this issue to gain privileges.

=========================================================================  
Ubuntu Security Notice USN-5711-2  
November 03, 2022

ntfs-3g vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 16.04 ESM  
- Ubuntu 14.04 ESM

Summary:

NTFS-3G could be made to crash or run programs as an administrator  
if it mounted a specially crafted disk.

Software Description:  
- ntfs-3g: read/write NTFS driver for FUSE

Details:

USN-5711-1 fixed a vulnerability in NTFS-3G. This update provides  
the corresponding update for Ubuntu 14.04 ESM Ubuntu 16.04 ESM.

Original advisory details:

 Yuchen Zeng and Eduardo Vela discovered that NTFS-3G incorrectly validated  
 certain NTFS metadata. A local attacker could possibly use this issue to  
 gain privileges.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 16.04 ESM:  
  ntfs-3g                         1:2015.3.14AR.1-1ubuntu0.3+esm4

Ubuntu 14.04 ESM:  
  ntfs-3g                         1:2013.1.13AR.1-2ubuntu2+esm4

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5711-2  
  https://ubuntu.com/security/notices/USN-5711-1  
  CVE-2022-40284

Ubuntu Security Notice USN-5711-2

Ubuntu Security Notice 5711-1 - Yuchen Zeng and Eduardo Vela discovered that NTFS-3G incorrectly validated certain NTFS metadata. A local attacker could possibly use this issue to gain privileges.

==========================================================================  
Ubuntu Security Notice USN-5711-1  
November 02, 2022

ntfs-3g vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

NTFS-3G could be made to crash or run programs as an administrator  
if it mounted a specially crafted disk.

Software Description:  
- ntfs-3g: read/write NTFS driver for FUSE

Details:

Yuchen Zeng and Eduardo Vela discovered that NTFS-3G incorrectly validated  
certain NTFS metadata. A local attacker could possibly use this issue to  
gain privileges.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
   ntfs-3g                         1:2022.5.17-1ubuntu1.1

Ubuntu 22.04 LTS:  
   ntfs-3g                         1:2021.8.22-3ubuntu1.2

Ubuntu 20.04 LTS:  
   ntfs-3g                         1:2017.3.23AR.3-3ubuntu1.3

Ubuntu 18.04 LTS:  
   ntfs-3g                         1:2017.3.23-2ubuntu0.18.04.5

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5711-1  
   CVE-2022-40284

Package Information:  
   https://launchpad.net/ubuntu/+source/ntfs-3g/1:2022.5.17-1ubuntu1.1  
   https://launchpad.net/ubuntu/+source/ntfs-3g/1:2021.8.22-3ubuntu1.2  
   https://launchpad.net/ubuntu/+source/ntfs-3g/1:2017.3.23AR.3-3ubuntu1.3  
   https://launchpad.net/ubuntu/+source/ntfs-3g/1:2017.3.23-2ubuntu0.18.04.5

Ubuntu Security Notice USN-5711-1

GPAC v2.1-DEV-rev368-gfd054169b-master was discovered to contain a memory leak via the component gf_list_new at utils/list.c.

**Description**

Memory Leak in gf\_list\_new utils/list.c:601

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt poc
    

**POC**

https://github.com/FDU-Sec/poc/blob/main/gpac/poc

**ASAN**

    [iso file] Box "emsg" (start 0) has 20 extra bytes
    [iso file] Read Box type 0000bl (0x0000626C) at position 709 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "minf" (start 645) has 3344 extra bytes
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 4159 size 68
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Box "emsg" (start 0) has 20 extra bytes
    [iso file] Read Box type 0000bl (0x0000626C) at position 709 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "minf" (start 645) has 3344 extra bytes
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 4159 size 68
    [iso file] Incomplete file while reading for dump - aborting parsing
    Scene loaded - dumping root scene
    
    =================================================================
    ==62092==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7f4e18113b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f4e15492e5d in gf_list_new utils/list.c:601
        #2 0x7f4e159acd1c in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:775
        #3 0x7f4e159af13b in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #4 0x7f4e159af13b in gf_isom_open_file isomedia/isom_intern.c:988
        #5 0x558bdd469254 in mp4box_main /gpac/applications/mp4box/mp4box.c:6175
        #6 0x7f4e134d2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Direct leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7f4e18113b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f4e15492e5d in gf_list_new utils/list.c:601
        #2 0x7f4e159acd1c in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:775
        #3 0x7f4e159af13b in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #4 0x7f4e159af13b in gf_isom_open_file isomedia/isom_intern.c:988
        #5 0x558bdd47b106 in dump_isom_scene /gpac/applications/mp4box/filedump.c:166
        #6 0x558bdd4654b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #7 0x7f4e134d2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 96 byte(s) in 1 object(s) allocated from:
        #0 0x7f4e18113b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f4e1593720d in emsg_box_new isomedia/box_code_base.c:12515
        #2 0x7f4e15982447 in gf_isom_box_new_ex isomedia/box_funcs.c:1718
        #3 0x7f4e15982447 in gf_isom_box_parse_ex isomedia/box_funcs.c:247
        #4 0x7f4e15983a7c in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #5 0x7f4e159a927c in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
        #6 0x7f4e159af13b in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #7 0x7f4e159af13b in gf_isom_open_file isomedia/isom_intern.c:988
        #8 0x558bdd47b106 in dump_isom_scene /gpac/applications/mp4box/filedump.c:166
        #9 0x558bdd4654b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #10 0x7f4e134d2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 96 byte(s) in 1 object(s) allocated from:
        #0 0x7f4e18113b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f4e1593720d in emsg_box_new isomedia/box_code_base.c:12515
        #2 0x7f4e15982447 in gf_isom_box_new_ex isomedia/box_funcs.c:1718
        #3 0x7f4e15982447 in gf_isom_box_parse_ex isomedia/box_funcs.c:247
        #4 0x7f4e15983a7c in gf_isom_parse_root_box isomedia/box_funcs.c:38
        #5 0x7f4e159a927c in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:378
        #6 0x7f4e159af13b in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #7 0x7f4e159af13b in gf_isom_open_file isomedia/isom_intern.c:988
        #8 0x558bdd469254 in mp4box_main /gpac/applications/mp4box/mp4box.c:6175
        #9 0x7f4e134d2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 80 byte(s) in 1 object(s) allocated from:
        #0 0x7f4e18113f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
        #1 0x7f4e1549307e in realloc_chain utils/list.c:621
        #2 0x7f4e1549307e in gf_list_add utils/list.c:630
        #3 0x7f4e159aa6d0 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:776
        #4 0x7f4e159af13b in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #5 0x7f4e159af13b in gf_isom_open_file isomedia/isom_intern.c:988
        #6 0x558bdd47b106 in dump_isom_scene /gpac/applications/mp4box/filedump.c:166
        #7 0x558bdd4654b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #8 0x7f4e134d2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 80 byte(s) in 1 object(s) allocated from:
        #0 0x7f4e18113f30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
        #1 0x7f4e1549307e in realloc_chain utils/list.c:621
        #2 0x7f4e1549307e in gf_list_add utils/list.c:630
        #3 0x7f4e159aa6d0 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:776
        #4 0x7f4e159af13b in gf_isom_parse_movie_boxes isomedia/isom_intern.c:868
        #5 0x7f4e159af13b in gf_isom_open_file isomedia/isom_intern.c:988
        #6 0x558bdd469254 in mp4box_main /gpac/applications/mp4box/mp4box.c:6175
        #7 0x7f4e134d2c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: 384 byte(s) leaked in 6 allocation(s).
    

**Environment**

    Ubuntu 18.04.5 LTS
    Clang 10.0.1
    gcc 7.5.0
    

**Credit**

Peng Deng (Fudan University)

CVE-2022-43254: Memory Leak in gf_list_new utils/list.c:601 · Issue #2284 · gpac/gpac

GPAC v2.1-DEV-rev368-gfd054169b-master was discovered to contain a memory leak via the component gf_odf_new_iod at odf/odf_code.c.

**Description**

Memory Leak in gf\_odf\_new\_iod odf/odf\_code.c:415

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -xmt poc1.xmt
    

**POC**

https://github.com/FDU-Sec/poc/blob/main/gpac/poc1.xmt

**ASAN**

    XMT: MPEG-4 (XMT) Scene Parsing
    [XMT Parsing] Invalid XML document: Invalid character '<' - Line 13: </decSpeci (line 13)
    Error loading scene: Corrupted Data in file/stream
    
            Error: Corrupted Data in file/stream
    
    =================================================================
    ==40452==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 80 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab51a63192 in gf_odf_new_iod odf/odf_code.c:415
        #2 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #3 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #4 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #5 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #6 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #7 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #8 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #9 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #10 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #11 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #12 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #13 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #14 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #15 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 112 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab51a614d2 in gf_odf_new_esd odf/odf_code.c:126
        #2 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #3 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #4 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #5 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #6 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #7 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #8 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #9 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #10 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #11 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #12 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #13 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #14 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #15 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 80 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407af30 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef30)
        #1 0x7fab513fa07e in realloc_chain utils/list.c:621
        #2 0x7fab513fa07e in gf_list_add utils/list.c:630
        #3 0x7fab51d028ce in xmt_parse_descriptor scene_manager/loader_xmt.c:1987
        #4 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #5 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #6 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #7 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #8 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #9 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #10 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #11 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #12 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #13 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #14 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #15 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 64 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab51a68722 in gf_odf_new_dcd odf/odf_code.c:1107
        #2 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #3 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #4 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #5 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #6 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #7 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #8 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #9 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #10 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #11 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #12 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #13 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #14 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #15 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a6151c in gf_odf_new_esd odf/odf_code.c:130
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a6153b in gf_odf_new_esd odf/odf_code.c:131
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a631ff in gf_odf_new_iod odf/odf_code.c:421
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a614f4 in gf_odf_new_esd odf/odf_code.c:129
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a68740 in gf_odf_new_dcd odf/odf_code.c:1110
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a6321e in gf_odf_new_iod odf/odf_code.c:423
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a631e0 in gf_odf_new_iod odf/odf_code.c:420
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 16 byte(s) in 1 object(s) allocated from:
        #0 0x7fab5407ab40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fab513f9e5d in gf_list_new utils/list.c:601
        #2 0x7fab51a631b4 in gf_odf_new_iod odf/odf_code.c:419
        #3 0x7fab51a6c843 in gf_odf_desc_new odf/odf_codec.c:244
        #4 0x7fab51d0244f in xmt_parse_descriptor scene_manager/loader_xmt.c:1942
        #5 0x7fab51d0553d in xmt_node_start scene_manager/loader_xmt.c:2571
        #6 0x7fab51436f35 in xml_sax_node_start utils/xml_parser.c:304
        #7 0x7fab5143a20f in xml_sax_parse_attribute utils/xml_parser.c:393
        #8 0x7fab5143a20f in xml_sax_parse utils/xml_parser.c:911
        #9 0x7fab5143bdfd in gf_xml_sax_parse_intern utils/xml_parser.c:1072
        #10 0x7fab5143c6b7 in gf_xml_sax_parse utils/xml_parser.c:1100
        #11 0x7fab5143c9c8 in xml_sax_read_file utils/xml_parser.c:1187
        #12 0x7fab5143d5c4 in gf_xml_sax_parse_file utils/xml_parser.c:1299
        #13 0x7fab51cf010a in load_xmt_run scene_manager/loader_xmt.c:3134
        #14 0x564329084177 in dump_isom_scene /gpac/applications/mp4box/filedump.c:207
        #15 0x56432906e4b4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6336
        #16 0x7fab4f439c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: 464 byte(s) leaked in 12 allocation(s).
    

**Environment**

Ubuntu 18.04.5 LTS  
Clang 10.0.1  
gcc 7.5.0

**Credit**

Peng Deng (Fudan University)

CVE-2022-43255: Memory Leak in gf_odf_new_iod odf/odf_code.c:415 · Issue #2285 · gpac/gpac

Libde265 v1.0.8 was discovered to contain a segmentation violation via apply_sao_internal<unsigned short> in sao.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

**Description**

SEGV /libde265/libde265/sao.cc:231 in void apply\_sao\_internal(de265\_image\*, int, int, slice\_segment\_header const\*, int, int, int, unsigned short const\*, int, unsigned short\*, int)

**Version**

$ ./dec265 -h
 dec265  v1.0.8
--------------
usage: dec265 \[options\] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

**Replay**

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE\_CXX\_FLAGS="\-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc18

**ASAN**

WARNING: non-existing PPS referenced
WARNING: non-existing PPS referenced
WARNING: slice header invalid
WARNING: slice header invalid
WARNING: slice header invalid
ASAN:DEADLYSIGNAL
=================================================================
==24487==ERROR: AddressSanitizer: SEGV on unknown address 0x61106a5b8d93 (pc 0x55dd23192a5c bp 0x0c2c0000008e sp 0x7fff32e6f1c0 T0)
==24487==The signal is caused by a READ memory access.
    #0 0x55dd23192a5b in void apply\_sao\_internal<unsigned short>(de265\_image\*, int, int, slice\_segment\_header const\*, int, int, int, unsigned short const\*, int, unsigned short\*, int) /libde265/libde265/sao.cc:231
    #1 0x55dd2318b477 in void apply\_sao<unsigned char>(de265\_image\*, int, int, slice\_segment\_header const\*, int, int, int, unsigned char const\*, int, unsigned char\*, int) /libde265/libde265/sao.cc:270
    #2 0x55dd2318b477 in apply\_sample\_adaptive\_offset\_sequential(de265\_image\*) /libde265/libde265/sao.cc:362
    #3 0x55dd230bd468 in decoder\_context::run\_postprocessing\_filters\_sequential(de265\_image\*) /libde265/libde265/decctx.cc:1898
    #4 0x55dd230bd468 in decoder\_context::decode\_some(bool\*) /libde265/libde265/decctx.cc:778
    #5 0x55dd230ce78b in decoder\_context::read\_slice\_NAL(bitreader&, NAL\_unit\*, nal\_header&) /libde265/libde265/decctx.cc:697
    #6 0x55dd230d0729 in decoder\_context::decode\_NAL(NAL\_unit\*) /libde265/libde265/decctx.cc:1239
    #7 0x55dd230d15a9 in decoder\_context::decode(int\*) /libde265/libde265/decctx.cc:1327
    #8 0x55dd23088be5 in main /libde265/dec265/dec265.cc:764
    #9 0x7fed8173ac86 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x21c86)
    #10 0x55dd2308b0f9 in \_start (/libde265/dec265/dec265+0x1b0f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /libde265/libde265/sao.cc:231 in void apply\_sao\_internal<unsigned short\>(de265\_image\*, int, int, slice\_segment\_header const\*, int, int, int, unsigned short const\*, int, unsigned short\*, int)
==24487==ABORTING

**POC**

https://github.com/FDU-Sec/poc/blob/main/libde265/poc18

**Environment**

Ubuntu 18.04.5 LTS
Clang 10.0.1
gcc 7.5.0

**Credit**

Peng Deng (Fudan University)

CVE-2022-43245: SEGV sao.cc: in void apply_sao_internal<unsigned short> · Issue #352 · strukturag/libde265

Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulnerability via ff_hevc_put_hevc_qpel_h_2_v_1_sse in sse-motion.cc. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted video file.

**Description**

Heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x2831a1) in ff\_hevc\_put\_hevc\_qpel\_h\_2\_v\_1\_sse(short\*, long, unsigned char const\*, long, int, int, short\*)

**Version**

$ ./dec265 -h
 dec265  v1.0.8
--------------
usage: dec265 \[options\] videofile.bin
The video file must be a raw bitstream, or a stream with NAL units (option -n).

options:
  -q, --quiet       do not show decoded image
  -t, --threads N   set number of worker threads (0 - no threading)
  -c, --check-hash  perform hash check
  -n, --nal         input is a stream with 4-byte length prefixed NAL units
  -f, --frames N    set number of frames to process
  -o, --output      write YUV reconstruction
  -d, --dump        dump headers
  -0, --noaccel     do not use any accelerated code (SSE)
  -v, --verbose     increase verbosity level (up to 3 times)
  -L, --no-logging  disable logging
  -B, --write-bytestream FILENAME  write raw bytestream (from NAL input)
  -m, --measure YUV compute PSNRs relative to reference YUV
  -T, --highest-TID select highest temporal sublayer to decode
      --disable-deblocking   disable deblocking filter
      --disable-sao          disable sample-adaptive offset filter
  -h, --help        show help

**Replay**

git clone https://github.com/strukturag/libde265.git
cd libde265
mkdir build
cd build
cmake ../ -DCMAKE\_CXX\_FLAGS="\-fsanitize=address"
make -j$(nproc)
./dec265/dec265 poc1

**ASAN**

    WARNING: non-existing PPS referenced
    WARNING: non-existing PPS referenced
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: slice header invalid
    =================================================================
    ==8080==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f80809038b9 at pc 0x7f807f61d1a2 bp 0x7fff6fd46c30 sp 0x7fff6fd46c20
    READ of size 16 at 0x7f80809038b9 thread T0
        #0 0x7f807f61d1a1 in ff_hevc_put_hevc_qpel_h_2_v_1_sse(short*, long, unsigned char const*, long, int, int, short*) (/libde265/build/libde265/liblibde265.so+0x2831a1)
        #1 0x7f807f51137d in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const (/libde265/build/libde265/liblibde265.so+0x17737d)
        #2 0x7f807f5128ab in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1788ab)
        #3 0x7f807f503995 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) (/libde265/build/libde265/liblibde265.so+0x169995)
        #4 0x7f807f51090f in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x17690f)
        #5 0x7f807f54b7e3 in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b17e3)
        #6 0x7f807f54d264 in read_coding_unit(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b3264)
        #7 0x7f807f54e250 in read_coding_quadtree(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4250)
        #8 0x7f807f54e218 in read_coding_quadtree(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4218)
        #9 0x7f807f54e218 in read_coding_quadtree(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4218)
        #10 0x7f807f54e218 in read_coding_quadtree(thread_context*, int, int, int, int) (/libde265/build/libde265/liblibde265.so+0x1b4218)
        #11 0x7f807f545726 in read_coding_tree_unit(thread_context*) (/libde265/build/libde265/liblibde265.so+0x1ab726)
        #12 0x7f807f54e9ea in decode_substream(thread_context*, bool, bool) (/libde265/build/libde265/liblibde265.so+0x1b49ea)
        #13 0x7f807f55070f in read_slice_segment_data(thread_context*) (/libde265/build/libde265/liblibde265.so+0x1b670f)
        #14 0x7f807f4af6d2 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) (/libde265/build/libde265/liblibde265.so+0x1156d2)
        #15 0x7f807f4afec1 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) (/libde265/build/libde265/liblibde265.so+0x115ec1)
        #16 0x7f807f4aec0f in decoder_context::decode_some(bool*) (/libde265/build/libde265/liblibde265.so+0x114c0f)
        #17 0x7f807f4ae93d in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/libde265/build/libde265/liblibde265.so+0x11493d)
        #18 0x7f807f4b143e in decoder_context::decode_NAL(NAL_unit*) (/libde265/build/libde265/liblibde265.so+0x11743e)
        #19 0x7f807f4b1ab3 in decoder_context::decode(int*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
        #20 0x7f807f498e95 in de265_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
        #21 0x55c0d6940bc9 in main (/libde265/build/dec265/dec265+0x6bc9)
        #22 0x7f807efcac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #23 0x55c0d693e9b9 in _start (/libde265/build/dec265/dec265+0x49b9)
    
    0x7f80809038b9 is located 169 bytes to the right of 131088-byte region [0x7f80808e3800,0x7f8080903810)
    allocated by thread T0 here:
        #0 0x7f807f9c1790 in posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdf790)
        #1 0x7f807f4ea1cb in ALLOC_ALIGNED(unsigned long, unsigned long) (/libde265/build/libde265/liblibde265.so+0x1501cb)
        #2 0x7f807f4ea92a in de265_image_get_buffer(void*, de265_image_spec*, de265_image*, void*) (/libde265/build/libde265/liblibde265.so+0x15092a)
        #3 0x7f807f4ecd1a in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) (/libde265/build/libde265/liblibde265.so+0x152d1a)
        #4 0x7f807f4d10cc in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) (/libde265/build/libde265/liblibde265.so+0x1370cc)
        #5 0x7f807f4b2824 in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) (/libde265/build/libde265/liblibde265.so+0x118824)
        #6 0x7f807f4b57f5 in decoder_context::process_reference_picture_set(slice_segment_header*) (/libde265/build/libde265/liblibde265.so+0x11b7f5)
        #7 0x7f807f4b8d70 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) (/libde265/build/libde265/liblibde265.so+0x11ed70)
        #8 0x7f807f4ae246 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) (/libde265/build/libde265/liblibde265.so+0x114246)
        #9 0x7f807f4b143e in decoder_context::decode_NAL(NAL_unit*) (/libde265/build/libde265/liblibde265.so+0x11743e)
        #10 0x7f807f4b1ab3 in decoder_context::decode(int*) (/libde265/build/libde265/liblibde265.so+0x117ab3)
        #11 0x7f807f498e95 in de265_decode (/libde265/build/libde265/liblibde265.so+0xfee95)
        #12 0x55c0d6940bc9 in main (/libde265/build/dec265/dec265+0x6bc9)
        #13 0x7f807efcac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/libde265/build/libde265/liblibde265.so+0x2831a1) in ff_hevc_put_hevc_qpel_h_2_v_1_sse(short*, long, unsigned char const*, long, int, int, short*)
    Shadow bytes around the buggy address:
      0x0ff0901186c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff0901186d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff0901186e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff0901186f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0ff090118700: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0ff090118710: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0ff090118720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff090118730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff090118740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff090118750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0ff090118760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==8080==ABORTING
    

**POC**

https://github.com/FDU-Sec/poc/blob/main/libde265/poc1

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

Tag

#ubuntu