Heap-buffer-overflow with ASAN in dec265 #460
Description
Dear libde265 developers, I used AFL++ to fuzz test dec265 and found some problems.
To debug a program built with ASan, here is some output
=================================================================
==2426872==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fac97661810 at pc 0x7fac9b8b7490 bp 0x7ffccfc5b3a0 sp 0x7ffccfc5ab48
READ of size 352 at 0x7fac97661810 thread T0
#0 0x7fac9b8b748f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#1 0x5610bf47d0e0 in SDL_YUV_Display::display420(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:146
#2 0x5610bf47ec9b in SDL_YUV_Display::display(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:107
#3 0x5610bf47afd3 in display_sdl(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:310
#4 0x5610bf47b4c7 in output_image(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:353
#5 0x5610bf4786a9 in main /home/zt/cnvd/libde265/dec265/dec265.cc:802
#6 0x7fac9af00082 in __libc_start_main ../csu/libc-start.c:308
#7 0x5610bf47a6ad in _start (/home/zt/cnvd/libde265/install/bin/dec265+0x86ad)
0x7fac97661810 is located 0 bytes to the right of 131088-byte region [0x7fac97641800,0x7fac97661810)
allocated by thread T0 here:
#0 0x7fac9b92a6e5 in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:217
#1 0x7fac9b517b47 in ALLOC_ALIGNED /home/zt/cnvd/libde265/libde265/image.cc:55
#2 0x7fac9b517b47 in de265_image_get_buffer /home/zt/cnvd/libde265/libde265/image.cc:129
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0ff612ec42b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff612ec42c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff612ec42d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff612ec42e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff612ec42f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff612ec4300: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff612ec4310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff612ec4320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff612ec4330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff612ec4340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff612ec4350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2426872==ABORTING
==2426808==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000035b80 at pc 0x5600b53a49fe bp 0x7ffc3b49c8b0 sp 0x7ffc3b49c8a0
WRITE of size 1 at 0x61d000035b80 thread T0
#0 0x5600b53a49fd in SDL_YUV_Display::display444as420(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:257
#1 0x5600b53a4cdb in SDL_YUV_Display::display(unsigned char const*, unsigned char const*, unsigned char const*, int, int) /home/zt/cnvd/libde265/dec265/sdl.cc:113
#2 0x5600b53a0fd3 in display_sdl(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:310
#3 0x5600b53a14c7 in output_image(de265_image const*) /home/zt/cnvd/libde265/dec265/dec265.cc:353
#4 0x5600b539e6a9 in main /home/zt/cnvd/libde265/dec265/dec265.cc:802
#5 0x7f1c660dc082 in __libc_start_main ../csu/libc-start.c:308
#6 0x5600b53a06ad in _start (/home/zt/cnvd/libde265/install/bin/dec265+0x86ad)
0x61d000035b80 is located 0 bytes to the right of 2304-byte region [0x61d000035280,0x61d000035b80)
allocated by thread T0 here:
#0 0x7f1c66b05a06 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x7f1c66917485 (/lib/x86_64-linux-gnu/libSDL2-2.0.so.0+0x74485)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zt/cnvd/libde265/dec265/sdl.cc:257 in SDL_YUV_Display::display444as420(unsigned char const*, unsigned char const*, unsigned char const*, int, int)
Shadow bytes around the buggy address:
0x0c3a7fffeb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffeb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffeb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffeb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fffeb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3a7fffeb70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffeb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffeb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffeba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffebb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffebc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2426808==ABORTING
Crash input:
Validation steps
git clone https://github.com/strukturag/libde265.git
cd libde265/
./autogen.sh
CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure --prefix="$HOME/libde265/install/"
make -j$(nproc)
make install
cd $HOME/libde265/install/bin
./dec265 poc
environment
Ubuntu 20.04 LTS