A recently discovered vulnerability in Libde265 v1..8 allows potential attackers to cause a Denial of Service (DoS) through a carefully crafted video file. This post provides an in-depth analysis of the heap-buffer-overflow vulnerability found in the put_epel_16_fallback function within fallback-motion.cc. We'll also look at the provided code snippets and refer to the original references for a better understanding of this security issue.

Vulnerability Details: Heap-Buffer-Overflow in put_epel_16_fallback

CVE-2022-43252 is a heap-buffer-overflow vulnerability affecting the Libde265 library, which is widely used for decoding videos in the High Efficiency Video Coding (HEVC) format.

This vulnerability resides in the put_epel_16_fallback function found within the fallback-motion.cc file. The function is responsible for handling motion compensation in the decoding process. By carefully manipulating a video file, an attacker can exploit this vulnerability to cause a crash in the decoding library or execute arbitrary code on target systems.

The code snippet below showcases the affected part of the put_epel16_fallback function

static void put_epel_16_fallback(uint8_t *_dst, intptr_t _dststride,
                                  const uint8_t *_src, intptr_t _srcstride,
                                  int mx, int my, int width, int height) {
  int half_width = width / 2;
  int half_height = height / 2;
  uint8_t tmp[8192 + EPEL_EXTRA + EPEL_EXTRA_BEFORE];
  uint8_t *dst = (uint8_t *)_dst;
  intptr_t dststride = _dststride;
  const uint8_t *src = (const uint8_t *)_src;
  intptr_t srcstride = _srcstride;

The vulnerability occurs because of incorrect calculations of the buffer size specifically involving the tmp array. In particular, the size of the tmp array can be insufficient leading to a heap-based buffer overflow. This can then be exploited to cause a crash or result in remote code execution on the target system.

Exploitation of this vulnerability has been demonstrated with a specially crafted video file. When this file is decoded using the Libde265 library, the put_epel_16_fallback function is triggered with incorrect input parameters leading to DoS or potentially executing arbitrary code.

1. Update Libde265 to the latest version that contains the fix for this vulnerability (v1..9 or later). The latest version can be found on the official GitHub repository.

2. Carefully validate and sanitize input parameters, especially when dealing with user-generated video files.

Conclusion

In this post, we have analyzed CVE-2022-43252, a heap-buffer-overflow vulnerability found in the put_epel_16_fallback function within Libde265 v1..8's fallback-motion.cc file. By exploiting this vulnerability, attackers can cause a DoS attack or execute arbitrary code on the target system using a crafted video file. Updating to the latest version of Libde265 and following best security practices can help mitigate the risk posed by this vulnerability.

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:25:00 UTC