libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl_epi64 function, which can be exploited via a crafted a file.

**heap-buffer-overflow in decode file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# /opt/asan/bin/dec265 libde265-mm_loadl_epi64-heap_overflow.crash
    WARNING: maximum number of reference pictures exceeded
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: coded parameter out of range
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: faulty reference picture list
    WARNING: maximum number of reference pictures exceeded
    WARNING: maximum number of reference pictures exceeded
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: faulty reference picture list
    WARNING: faulty reference picture list
    =================================================================
    ==129719==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b000068560 at pc 0x0000004d0359 bp 0x7ffe48aefc20 sp 0x7ffe48aefc10
    READ of size 8 at 0x62b000068560 thread T0
        #0 0x4d0358 in _mm_loadl_epi64(long long __vector(2) const*) /usr/lib/gcc/x86_64-linux-gnu/5/include/emmintrin.h:704
        #1 0x4d0358 in ff_hevc_put_hevc_epel_pixels_8_sse(short*, long, unsigned char const*, long, int, int, int, int, short*) /root/src/libde265/libde265/x86/sse-motion.cc:987
        #2 0x52bf76 in acceleration_functions::put_hevc_epel(short*, long, void const*, long, int, int, int, int, short*, int) const ../libde265/acceleration.h:296
        #3 0x52dc7a in void mc_chroma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:205
        #4 0x51f88a in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:382
        #5 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #6 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #7 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #8 0x47b611 in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4636
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7f56cd48d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/opt/asan/bin/dec265+0x402b28)
    
    0x62b000068560 is located 80 bytes to the right of 25360-byte region [0x62b000062200,0x62b000068510)
    allocated by thread T0 here:
        #0 0x7f56ce38e076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f56cd48d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/5/include/emmintrin.h:704 _mm_loadl_epi64(long long __vector(2) const*)
    Shadow bytes around the buggy address:
      0x0c5680005050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5680005090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c56800050a0: 00 00 fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
      0x0c56800050b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c56800050f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==129719==ABORTING
    

**POC file**

libde265-mm\_loadl\_epi64-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21604: heap-buffer-overflow in decode file · Issue #231 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the mc_luma function, which can be exploited via a crafted a file.

**heap-buffer-overflow in mc\_luma when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-mc_luma-heap_overflow.crash
    WARNING: pps header invalid
    =================================================================
    ==83007==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000008d1a at pc 0x00000052cd7b bp 0x7ffefc0bd7e0 sp 0x7ffefc0bd7d0
    READ of size 2 at 0x626000008d1a thread T0
        #0 0x52cd7a in void mc_luma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:148
        #1 0x51f594 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:370
        #2 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #3 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #4 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #5 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #6 0x47b5ac in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4633
        #7 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #8 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #9 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #10 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #11 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #12 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #13 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #14 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #15 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #16 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #17 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #18 0x7f5ee6c5b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #19 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x626000008d1a is located 10 bytes to the right of 11280-byte region [0x626000006100,0x626000008d10)
    allocated by thread T0 here:
        #0 0x7f5ee7b5c076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e6da in de265_image_get_buffer /root/src/libde265/libde265/image.cc:128
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f5ee6c5b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/motion.cc:148 void mc_luma<unsigned short>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned short const*, int, int, int, int)
    Shadow bytes around the buggy address:
      0x0c4c7fff9150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4c7fff9160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4c7fff9170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4c7fff9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4c7fff9190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c4c7fff91a0: 00 00 fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4c7fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4c7fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4c7fff91d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4c7fff91e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4c7fff91f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==83007==ABORTING
    

**POC file**

libde265-mc\_luma-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21595: heap-buffer-overflow in mc_luma when decoding file · Issue #239 · strukturag/libde265

libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallback function, which can be exploited via a crafted a file.

**stack-buffer-overflow in put\_qpel\_fallback when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-put_qpel_fallback-stack_overflow.crash
    WARNING: pps header invalid
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: pps header invalid
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: pps header invalid
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    =================================================================
    ==91107==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffebaa90b7f at pc 0x00000043836d bp 0x7ffebaa8e510 sp 0x7ffebaa8e500
    READ of size 2 at 0x7ffebaa90b7f thread T0
        #0 0x43836c in void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:520
        #1 0x433c33 in put_qpel_1_3_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) /root/src/libde265/libde265/fallback-motion.cc:646
        #2 0x52c405 in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const ../libde265/acceleration.h:338
        #3 0x52d7d6 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:156
        #4 0x51f6f2 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:376
        #5 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #6 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #7 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #8 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7fd98d83582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/root/dec265+0x402b28)
    
    Address 0x7ffebaa90b7f is located in stack of thread T0 at offset 9151 in frame
        #0 0x52cf34 in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:49
    
      This frame has 2 object(s):
        [32, 9120) 'mcbuffer'
        [9152, 14832) 'padbuf' <== Memory access at offset 9151 partially underflows this variable
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:520 void put_qpel_fallback<unsigned short>(short*, long, unsigned short const*, long, int, int, short*, int, int, int)
    Shadow bytes around the buggy address:
      0x10005754a110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10005754a160: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2[f2]
      0x10005754a170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10005754a1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==91107==ABORTING
    

**POC file**

libde265-put\_qpel\_fallback-stack\_overflow.zip  
libde265-put\_qpel\_fallback-stack\_overflow2.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21601: stack-buffer-overflow in put_qpel_fallback when decoding file · Issue #241 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fallback_16 function, which can be exploited via a crafted a file.

**heap-buffer-overflow in put\_qpel\_0\_0\_fallback\_16 when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-put_qpel_0_0_fallback_16-heap_overflow.crash
    WARNING: non-existing PPS referenced
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    WARNING: faulty reference picture list
    WARNING: faulty reference picture list
    WARNING: slice header invalid
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    WARNING: slice header invalid
    WARNING: faulty reference picture list
    WARNING: coded parameter out of range
    WARNING: CTB outside of image area (concealing stream error...)
    =================================================================
    ==87307==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000131410 at pc 0x0000004334a0 bp 0x7ffc47b87000 sp 0x7ffc47b86ff0
    READ of size 2 at 0x633000131410 thread T0
        #0 0x43349f in put_qpel_0_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int) /root/src/libde265/libde265/fallback-motion.cc:471
        #1 0x52c405 in acceleration_functions::put_hevc_qpel(short*, long, void const*, long, int, int, short*, int, int, int) const ../libde265/acceleration.h:338
        #2 0x52d20c in void mc_luma<unsigned char>(base_context const*, seq_parameter_set const*, int, int, int, int, short*, int, unsigned char const*, int, int, int, int) /root/src/libde265/libde265/motion.cc:78
        #3 0x51f6f2 in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:376
        #4 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #5 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #6 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #7 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #8 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #9 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #10 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #11 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #12 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #13 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #14 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #15 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #16 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #17 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #18 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #19 0x7f3dfef4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #20 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x633000131410 is located 0 bytes to the right of 101392-byte region [0x633000118800,0x633000131410)
    allocated by thread T0 here:
        #0 0x7f3dffe4a076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e6da in de265_image_get_buffer /root/src/libde265/libde265/image.cc:128
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x40ee8b in decoder_context::generate_unavailable_reference_picture(seq_parameter_set const*, int, bool) /root/src/libde265/libde265/decctx.cc:1418
        #6 0x411722 in decoder_context::process_reference_picture_set(slice_segment_header*) /root/src/libde265/libde265/decctx.cc:1648
        #7 0x414cc9 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2066
        #8 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #9 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f3dfef4982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:471 put_qpel_0_0_fallback_16(short*, long, unsigned short const*, long, int, int, short*, int)
    Shadow bytes around the buggy address:
      0x0c668001e230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c668001e240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c668001e250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c668001e260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c668001e270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c668001e280: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c668001e290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c668001e2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c668001e2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c668001e2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c668001e2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==87307==ABORTING
    

**POC file**

libde265-put\_qpel\_0\_0\_fallback\_16-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21603: heap-buffer-overflow in put_qpel_0_0_fallback_16 when decoding file · Issue #240 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bipred_16_fallback function, which can be exploited via a crafted a file.

**heap-buffer-overflow in put\_weighted\_bipred\_16\_fallback when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-put_weighted_bipred_16_fallback-heap_overflow.crash
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: pps header invalid
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    =================================================================
    ==97574==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62b00001b510 at pc 0x000000432ac8 bp 0x7ffe6664b0a0 sp 0x7ffe6664b090
    WRITE of size 2 at 0x62b00001b510 thread T0
        #0 0x432ac7 in put_weighted_bipred_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:223
        #1 0x52beeb in acceleration_functions::put_weighted_bipred(void*, long, short const*, short const*, long, int, int, int, int, int, int, int, int) const ../libde265/acceleration.h:286
        #2 0x52112f in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:562
        #3 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #4 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #5 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #6 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #7 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #8 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #9 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #10 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #11 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #12 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #13 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #14 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #15 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #16 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #17 0x7f349865a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #18 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x62b00001b510 is located 0 bytes to the right of 25360-byte region [0x62b000015200,0x62b00001b510)
    allocated by thread T0 here:
        #0 0x7f349955b076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x414467 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2012
        #6 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #7 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #8 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #9 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #10 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #11 0x7f349865a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:223 put_weighted_bipred_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int, int, int, int, int, int)
    Shadow bytes around the buggy address:
      0x0c567fffb650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c567fffb690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c567fffb6a0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c567fffb6f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==97574==ABORTING
    

**POC file**

libde265-put\_weighted\_bipred\_16\_fallback-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21602: heap-buffer-overflow in put_weighted_bipred_16_fallback when decoding file · Issue #242 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the de265_image::available_zscan function, which can be exploited via a crafted a file.

**heap overflow in de265\_image::available\_zscan when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-de265_image__available_zscan-heap_overflow.crash
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    =================================================================
    ==50404==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a0000178bc at pc 0x000000443563 bp 0x7fff14a846d0 sp 0x7fff14a846c0
    READ of size 4 at 0x62a0000178bc thread T0
        #0 0x443562 in de265_image::available_zscan(int, int, int, int) const /root/src/libde265/libde265/image.cc:760
        #1 0x443acf in de265_image::available_pred_blk(int, int, int, int, int, int, int, int, int, int) const /root/src/libde265/libde265/image.cc:796
        #2 0x521fd7 in derive_spatial_merging_candidates(MotionVectorAccess const&, de265_image const*, int, int, int, int, int, unsigned char, int, int, int, PBMotion*, int) /root/src/libde265/libde265/motion.cc:808
        #3 0x525e21 in get_merge_candidate_list_without_step_9(base_context*, slice_segment_header const*, MotionVectorAccess const&, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:1467
        #4 0x526732 in derive_luma_motion_merge_mode(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:1570
        #5 0x52afb3 in motion_vectors_and_ref_indices(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int, PBMotion*) /root/src/libde265/libde265/motion.cc:2029
        #6 0x52b8ae in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2103
        #7 0x47995d in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4310
        #8 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #9 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #10 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #11 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #12 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #13 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #14 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #15 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #16 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #17 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #18 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #19 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #20 0x7f4581a5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #21 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x62a0000178bc is located 1468 bytes to the right of 20736-byte region [0x62a000012200,0x62a000017300)
    allocated by thread T0 here:
        #0 0x7f4582959532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
        #1 0x42447e in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
        #2 0x422d9c in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
        #3 0x420d4f in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
        #4 0x455ef8 in std::vector<int, std::allocator<int> >::_M_default_append(unsigned long) /usr/include/c++/5/bits/vector.tcc:557
        #5 0x455c0c in std::vector<int, std::allocator<int> >::resize(unsigned long) /usr/include/c++/5/bits/stl_vector.h:676
        #6 0x451598 in pic_parameter_set::set_derived_values(seq_parameter_set const*) /root/src/libde265/libde265/pps.cc:589
        #7 0x450649 in pic_parameter_set::read(bitreader*, decoder_context*) /root/src/libde265/libde265/pps.cc:528
        #8 0x40a562 in decoder_context::read_pps_NAL(bitreader&) /root/src/libde265/libde265/decctx.cc:574
        #9 0x40dc78 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1244
        #10 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #11 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #12 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #13 0x7f4581a5882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/image.cc:760 de265_image::available_zscan(int, int, int, int) const
    Shadow bytes around the buggy address:
      0x0c547fffaec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c547fffaf10: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
      0x0c547fffaf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fffaf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==50404==ABORTING
    

**POC file**

libde265-de265\_image\_\_available\_zscan-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21599: heap overflow in de265_image::available_zscan when decoding file · Issue #235 · strukturag/libde265

libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pred_avg_16_fallback function, which can be exploited via a crafted a file.

**heap-buffer-overflow in put\_weighted\_pred\_avg\_16\_fallback when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-put_weighted_pred_avg_16_fallback-heap_overflow.crash
    WARNING: pps header invalid
    WARNING: non-existing PPS referenced
    =================================================================
    ==103499==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005310 at pc 0x000000432cd8 bp 0x7ffe393c5a50 sp 0x7ffe393c5a40
    WRITE of size 2 at 0x62a000005310 thread T0
        #0 0x432cd7 in put_weighted_pred_avg_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int) /root/src/libde265/libde265/fallback-motion.cc:246
        #1 0x52bc12 in acceleration_functions::put_weighted_pred_avg(void*, long, short const*, short const*, long, int, int, int) const ../libde265/acceleration.h:251
        #2 0x52085c in generate_inter_prediction_samples(base_context*, slice_segment_header const*, de265_image*, int, int, int, int, int, int, int, PBMotion const*) /root/src/libde265/libde265/motion.cc:513
        #3 0x52b8f9 in decode_prediction_unit(base_context*, slice_segment_header const*, de265_image*, PBMotionCoding const&, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/motion.cc:2107
        #4 0x478f4a in read_prediction_unit(thread_context*, int, int, int, int, int, int, int, int, int) /root/src/libde265/libde265/slice.cc:4137
        #5 0x47a704 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4492
        #6 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #7 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #8 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #9 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #10 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #11 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #12 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #13 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #14 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #15 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #16 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #17 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #18 0x7fa63f83582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #19 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x62a000005310 is located 0 bytes to the right of 20752-byte region [0x62a000000200,0x62a000005310)
    allocated by thread T0 here:
        #0 0x7fa640736076 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99076)
        #1 0x43e00d in ALLOC_ALIGNED /root/src/libde265/libde265/image.cc:54
        #2 0x43e725 in de265_image_get_buffer /root/src/libde265/libde265/image.cc:132
        #3 0x440639 in de265_image::alloc_image(int, int, de265_chroma, std::shared_ptr<seq_parameter_set const>, bool, decoder_context*, long, void*, bool) /root/src/libde265/libde265/image.cc:384
        #4 0x43afa4 in decoded_picture_buffer::new_image(std::shared_ptr<seq_parameter_set const>, decoder_context*, long, void*, bool) /root/src/libde265/libde265/dpb.cc:262
        #5 0x414467 in decoder_context::process_slice_segment_header(slice_segment_header*, de265_error*, long, nal_header*, void*) /root/src/libde265/libde265/decctx.cc:2012
        #6 0x40acad in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:639
        #7 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #8 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #9 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #10 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #11 0x7fa63f83582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /root/src/libde265/libde265/fallback-motion.cc:246 put_weighted_pred_avg_16_fallback(unsigned short*, long, short const*, short const*, long, int, int, int)
    Shadow bytes around the buggy address:
      0x0c547fff8a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c547fff8a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c547fff8a60: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8a90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c547fff8ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==103499==ABORTING
    

**POC file**

libde265-put\_weighted\_pred\_avg\_16\_fallback-heap\_overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21600: heap-buffer-overflow in put_weighted_pred_avg_16_fallback when decoding file · Issue #243 · strukturag/libde265

libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_bit function, which can be exploited via a crafted a file.

**global buffer overflow in decode\_CABAC\_bit when decoding file**

I found some problems during fuzzing

**Test Version**

dev version, git clone https://github.com/strukturag/libde265

**Test Environment**

root@ubuntu:~# lsb\_release -a  
No LSB modules are available.  
Distributor ID: Ubuntu  
Description: Ubuntu 16.04.6 LTS  
Release: 16.04  
Codename: xenial

root@ubuntu:\# uname -a  
Linux ubuntu 4.15.0-45-generic #4816.04.1-Ubuntu SMP Tue Jan 29 18:03:48 UTC 2019 x86\_64 x86\_64 x86\_64 GNU/Linux

**Test Configure**

./configure  
configure: ---------------------------------------  
configure: Building dec265 example: yes  
configure: Building sherlock265 example: no  
configure: Building encoder: yes  
configure: ---------------------------------------

**Test Program**

dec265 [infile]

**Asan Output**

    root@ubuntu:~# ./dec265 libde265-decode_CABAC_bit-overflow.crash
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    =================================================================
    ==58539==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000054625f at pc 0x0000004fc1cf bp 0x7fffa287c990 sp 0x7fffa287c980
    READ of size 1 at 0x00000054625f thread T0
        #0 0x4fc1ce in decode_CABAC_bit(CABAC_decoder*, context_model*) /root/src/libde265/libde265/cabac.cc:180
        #1 0x46fca1 in decode_cu_skip_flag /root/src/libde265/libde265/slice.cc:1679
        #2 0x4797c7 in read_coding_unit(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4289
        #3 0x47b6fe in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4647
        #4 0x47b53f in read_coding_quadtree(thread_context*, int, int, int, int) /root/src/libde265/libde265/slice.cc:4630
        #5 0x47338a in read_coding_tree_unit(thread_context*) /root/src/libde265/libde265/slice.cc:2861
        #6 0x47beb1 in decode_substream(thread_context*, bool, bool) /root/src/libde265/libde265/slice.cc:4736
        #7 0x47db9f in read_slice_segment_data(thread_context*) /root/src/libde265/libde265/slice.cc:5049
        #8 0x40bf17 in decoder_context::decode_slice_unit_sequential(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:843
        #9 0x40c6d7 in decoder_context::decode_slice_unit_parallel(image_unit*, slice_unit*) /root/src/libde265/libde265/decctx.cc:945
        #10 0x40b589 in decoder_context::decode_some(bool*) /root/src/libde265/libde265/decctx.cc:730
        #11 0x40b2f2 in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /root/src/libde265/libde265/decctx.cc:688
        #12 0x40dbb3 in decoder_context::decode_NAL(NAL_unit*) /root/src/libde265/libde265/decctx.cc:1230
        #13 0x40e17b in decoder_context::decode(int*) /root/src/libde265/libde265/decctx.cc:1318
        #14 0x405a61 in de265_decode /root/src/libde265/libde265/de265.cc:346
        #15 0x404972 in main /root/src/libde265/dec265/dec265.cc:764
        #16 0x7f83f76d982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #17 0x402b28 in _start (/root/dec265+0x402b28)
    
    0x00000054625f is located 31 bytes to the right of global variable 'next_state_MPS' defined in 'cabac.cc:112:22' (0x546200) of size 64
    0x00000054625f is located 1 bytes to the left of global variable 'next_state_LPS' defined in 'cabac.cc:120:22' (0x546260) of size 64
    SUMMARY: AddressSanitizer: global-buffer-overflow /root/src/libde265/libde265/cabac.cc:180 decode_CABAC_bit(CABAC_decoder*, context_model*)
    Shadow bytes around the buggy address:
      0x0000800a0bf0: 00 00 00 01 f9 f9 f9 f9 00 00 00 00 00 02 f9 f9
      0x0000800a0c00: f9 f9 f9 f9 00 00 00 00 00 00 00 00 01 f9 f9 f9
      0x0000800a0c10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
    =>0x0000800a0c40: 00 00 00 00 00 00 00 00 f9 f9 f9[f9]00 00 00 00
      0x0000800a0c50: 00 00 00 00 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9
      0x0000800a0c60: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
      0x0000800a0c70: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      0x0000800a0c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800a0c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==58539==ABORTING
    

**POC file**

libde265-decode\_CABAC\_bit-overflow.zip  
password: leon.zhao.7

**CREDIT**

Zhao Liang, Huawei Weiran Labs

CVE-2020-21596: global buffer overflow in decode_CABAC_bit when decoding file · Issue #236 · strukturag/libde265

Last updated on October 5, 2021: See revision history located at the end of the post for changes.
On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively.

_Last updated on October 5, 2021: See revision history located at the end of the post_ for changes.

On September 14, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities and one unauthenticated Remote Code Execution (RCE) vulnerability in the Open Management Infrastructure (OMI) framework: CVE-2021-38645, CVE-2021-38649, CVE-2021-38648, and CVE-2021-38647, respectively. Open Management Infrastructure (OMI) is an open-source Web-Based Enterprise Management (WBEM) implementation for managing Linux and UNIX systems. Several Azure Virtual Machine (VM) management extensions use this framework to orchestrate configuration management and log collection on Linux VMs. The remote code execution vulnerability only impacts customers using a Linux management solution (on-premises SCOM or Azure Automation State Configuration or Azure Desired State Configuration extension) that enables remote OMI management. Today, we are providing additional guidance and rolling out additional protections within Azure impacted VM management extensions to resolve these issues.

**What versions of OMI are vulnerable?**

All OMI versions below v1.6.8-1 are vulnerable.

**Which PaaS services are affected by the OMI vulnerability?**

For any PaaS service offerings that use the vulnerable VM extensions for Linux as part of the default service offering, Microsoft has updated the extensions on the affected VM’s transparently for customers. Where customers have installed OMI or any of the extensions on their Azure VMs or on-premises machines, they are required to follow the guidance as provided in table below.

**How can I determine which VMs are impacted by these vulnerabilities?**

VMs that use the VM Management Extensions listed below are impacted. All customers that are impacted will be notified directly.

To identify the affected VMs in their subscriptions, customers can use one the following:

*   Using ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech Community
*   To identify an Azure VM for the vulnerable extensions, leverage Azure Portal or Azure CLI as described in this article. If the reported extension versions are matching the versions listed for the ‘Fixed Extension Versions’ in below table, no further action is required.
*   To scan an Azure subscription for vulnerable VM’s use the script here. This script can also be used to patch the affected VMs using the upgradeOMI parameter.

**What can I do to protect against these vulnerabilities?**

**Extension updates:** Customers must update vulnerable extensions for their cloud and on-premises deployments as per the table below. New VMs in a region are protected from these vulnerabilities as they are created. For cloud deployments, Microsoft has deployed the updates to extensions across Azure regions. The automatic extension updates were transparently patched without a reboot. Where possible, customers should ensure that automatic extension updates are enabled. Please see Automatic Extension Upgrade for VMs and Scale Sets in Azure to evaluate the configuration of automatic updates.

*   Updates are available for all extensions that use OMI to address the remote execution vulnerability (RCE) and Elevation of Privilege (EoP). Customers can add defense-in-depth and protect against the RCE vulnerability by ensuring VMs are deployed within a Network Security Group (NSG) or behind a perimeter firewall and restrict access to Linux systems that expose the OMI ports (TCP 5985, 5986, and 1270). Note that ports 5985 and 5986 are also used for PowerShell Remoting on Windows and are not impacted by these vulnerabilities. For more information about configuring firewall rules for DSC and SCOM, see Azure Automation Network Configuration Details and Configuring a Firewall for Operations Manager.

**How can I detect if this vulnerability has been exploited?**

An attacker that leverages these vulnerabilities to execute commands remotely will have commands run by the SCXcore service. The SCXcore provider runs on AIX 6.1 and later, HP/UX 11.31 and later, Solaris 5.10 and later, and most versions of Linux as far back as RedHat 5.0, SuSE 10.1, and Debian 5.0. SCX has a **RunAsProvider** named ExecuteShellCommand. The ExecuteShellCommand **RunAsProvider** will execute any UNIX/Linux command using the /bin/sh shell.

*   If you have auditd enabled and are collecting execve logs, look for commands running from the working directory ‘/var/opt/microsoft/scx/tmp’.
*   You can also enable logging for the SCXadmin tool. If you enable logging using the command: ‘/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose’, you will see the commands in the /var/opt/microsoft/scx/log/scx.log. To see the commands that are executing, grep for Invoke\_ExecuteShellCommand.

More details about SCXadmin is available here: Administering and Configuring the UNIX - Linux Agent | Microsoft Docs. For more details on SCXcore, see the GitHub repo here: microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager (github.com).

Microsoft has released additional detection guidance and protections for Azure Sentinel Hunting for OMI Vulnerability Exploitation with Azure Sentinel. To further improve security protections for customers, Microsoft will continue to provide additional protections to customers as our investigation progresses. Microsoft has also provided the above detection guidance to major security software providers. Security software providers can use this detection guidance to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. For more information about these security providers, please see the Microsoft Active Protections Program.

**Are Azure Marketplace VMs impacted by these vulnerabilities?** Microsoft has identified a subset of Azure marketplace VMs that have vulnerable versions of OMI framework installed on them. Microsoft has published Azure Service Health Notifications to customers utilizing impacted VM images to provide them guidance on how to remediate their resources. Microsoft has also notified the Marketplace publishers to release new versions of the VM images for the offers with the updated OMI framework.

**Engineering teams at Microsoft are working through safe deployment practices and will periodically update this guidance with links to updated instructions and extension update availability.**

**Please use the scroll bar to view the full table.**

**Extension/Package**

**Deployment Model**

**Vulnerability Exposure**

**Vulnerable Extension Versions**

**Fixed Extension Versions**

**Updated Extension Availability**

OMI as standalone package

On Premises/ Cloud

Remote Code Execution

OMI module version 1.6.8.0 or less

OMI version v1.6.8-1

Manually download the update here

System Center Operations Manager (SCOM)

On Premises

Remote Code Execution

OMI versions 1.6.8.0 or less (OMI framework is used for Linux/Unix monitoring)

OMI version: 1.6.8-1

Manually download the update here

Azure Automation State Configuration, DSC Extension

Cloud

Remote Code Execution

Linux DSC Agent versions: 2.71.X.XX (except the fixed version or higher) 2.70.X.XX (except the fixed version or higher) 3.0.0.1 2.0.0.0

Linux DSC Agent versions: 2.71.1.25 2.70.0.30 3.0.0.3

Microsoft has completed deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Automation State Configuration, DSC Extension

On Premises

Remote Code Execution

OMI versions below v1.6.8-1 (OMI framework is a pre-requisite install for DSC agent)

OMI version: 1.6.8-1

Manually update OMI using instructions here.

Log Analytics Agent

On Premises

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Manually update using instructions here

Log Analytics Agent

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed the deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Diagnostics (LAD)

Cloud

Local Elevation of Privilege

LAD v4.0.0-v4.0.5 LAD v3.0.131 and earlier

LAD v4.0.15 and LAD v3.0.135

Microsoft has completed the deployment of updates.

Azure Automation Update Management

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed the deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Automation Update Management

On Premises

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Manually update using instructions here

Azure Automation

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed the deployment of updates. VMs that continue to be reported as vulnerable: Manually update using instructions here

Azure Automation

On Premises

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Manually update using instructions here

Azure Security Center

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed deployment of updates.

Azure Sentinel

Cloud

Local Elevation of Privilege

OMS Agent for Linux GA v1.13.39 or less

OMS Agent for Linux GA v1.13.40-0

Microsoft has completed deployment of updates.

Container Monitoring Solution

Cloud

Local Elevation of Privilege

**See Note 1**

**See Note 2**

Updated Container Monitoring Solution Docker image is available here

Azure Stack Hub

On Premises

Local Elevation of Privilege

Azure Monitor, Update and Configuration Management Impacted Versions: 1.8 1.8.11 1.12 1.12.17 1.13.27 1.13.33

Azure Monitor, Update and Configuration Management 1.14.02

New extension version is available via the Azure Stack Hub marketplace. Manually update using instructions here

Azure Stack Hub

On Premises

Local Elevation of Privilege

Microsoft Azure Diagnostic Extension for Linux Virtual Machines Impacted Versions: 3.0.111 3.0.121

Microsoft Azure Diagnostic Extension for Linux Virtual Machines 3.1.135

New extension version is available via the Azure Stack Hub marketplace. Manually update using instructions here

Azure HDInsight

Cloud

Local Elevation of Privilege

Customers with HDInsight clusters running Ubuntu 16.0.4 **OR** customers that have enabled Azure Monitor for HDInsight cluster integration are susceptible to the Elevation of Privilege vulnerabilities OMI framework version 1.6.8.0 or less

OMI framework v1.6.8-1

Automatic updates have been completed. Where customer configuration prevented updates, customers must apply the updates by running the following script on every cluster node.

**Please use the scroll bar to view the full table.**

**Note 1** : Container Monitoring Solution Docker images with SHA ID different than sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707

**Note 2** : Fixed version in SHA ID: sha256:12b7682d8f9a2f67752bf121029e315abcae89bc0c34a0e05f07baec72280707

**Revision History:** Revision 1.0 September 16, 2021: Information published.  
Revision 1.1 September 17, 2021: Updated affected software, clarified how customers can determine which VMs are impacted by these vulnerabilities and clarified what customers can do to protect against these vulnerabilities.  
Revision 1.2 September 18, 2021: Added detection guidance.  
Revision 1.3 September 19, 2021: Updated release date for the Azure Monitor, Update and Configuration Management Azure Stack Hub extension  
Revision 1.4 September 20, 2021: Updated version number of Azure Diagnostics (LAD) and added information for new updates available for Azure Stack Hub.  
Revision 1.5 September 21, 2021: Removed the first bullet in the **How can I determine which VMS are impacted by these vulnerabilities?** section.  
Revision 1.6 September 22, 2021: Updated affected software table including HDInsight, Azure StackHub, and the date automatic updates will be enabled.  
Revision 1.7 September 24, 2021: Announced the release of several updates and deployments for Azure Automation State Configuration, DSC Extension, Log Analytics Agent, Azure Automation Update Management, Azure Automation, Azure Security Center, Azure Sentinel and Azure Stack Hub.  
Revision 1.8 September 30, 2021: Updated to reflect completion of Microsoft auto-update processes.  
Revision 1.0 October 5, 2021: Updated the version number for Azure Monitor, Update and Configuration Management to 1.14.02 for Azure Stack Hub (On-premises)

Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions

Libsixel prior to v1.8.3 contains a stack buffer overflow in the function gif_process_raster at fromgif.c.

Our fuzzer detected several crashes when converting gif file against 2df6437 (compiled with Address Sanitizer). The command to trigger that is img2sixel $POC -o /tmp/test.six where $POC can be:  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_1.gif  
https://github.com/ntu-sec/pocs/blob/master/libsixel-2df6437/crashes/so\_fromgif.c%3A310\_2.gif

gdb output is like:

    GNU gdb (Ubuntu 8.1-0ubuntu3) 8.1.0.20180409-git
    Copyright (C) 2018 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
    and "show warranty" for details.
    This GDB was configured as "x86_64-linux-gnu".
    Type "show configuration" for configuration details.
    For bug reporting instructions, please see:
    <http://www.gnu.org/software/gdb/bugs/>.
    Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.
    For help, type "help".
    Type "apropos word" to search for commands related to "word"...
    Reading symbols from /home/hongxu/FOT/libsixel/install/bin/img2sixel...done.
    Starting program: /home/hongxu/FOT/libsixel/install/bin/img2sixel hbo_fromgif.c:310_1.gif -o /tmp/test.six
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    =================================================================
    ==17533==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffa7d8 at pc 0x7ffff7b5f160 bp 0x7fffffff5950 sp 0x7fffffff5948
    WRITE of size 2 at 0x7fffffffa7d8 thread T0
        #0 0x7ffff7b5f15f in gif_process_raster /home/hongxu/FOT/libsixel/src/fromgif.c:310:31
        #1 0x7ffff7b5c303 in gif_load_next /home/hongxu/FOT/libsixel/src/fromgif.c:462:22
        #2 0x7ffff7b5a25e in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:599:22
        #3 0x7ffff7b11198 in load_with_builtin /home/hongxu/FOT/libsixel/src/loader.c:858:18
        #4 0x7ffff7b10116 in sixel_helper_load_image_file /home/hongxu/FOT/libsixel/src/loader.c:1352:18
        #5 0x7ffff7b69d98 in sixel_encoder_encode /home/hongxu/FOT/libsixel/src/encoder.c:1737:14
        #6 0x515787 in main /home/hongxu/FOT/libsixel/converters/img2sixel.c:457:22
        #7 0x7ffff61a6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
        #8 0x41a239 in _start (/home/hongxu/FOT/libsixel/install/bin/img2sixel+0x41a239)
    
    Address 0x7fffffffa7d8 is located in stack of thread T0 at offset 18296 in frame
        #0 0x7ffff7b5999f in load_gif /home/hongxu/FOT/libsixel/src/fromgif.c:555
    
      This frame has 4 object(s):
        [32, 208) 's' (line 556)
        [272, 18296) 'g' (line 557) <== Memory access at offset 18296 overflows this variable
        [18560, 18568) 'frame' (line 559)
        [18592, 18600) 'fnp' (line 560)
    HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
          (longjmp and C++ exceptions *are* supported)
    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hongxu/FOT/libsixel/src/fromgif.c:310:31 in gif_process_raster
    Shadow bytes around the buggy address:
      0x10007fff74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff74e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x10007fff74f0: 00 00 00 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2
      0x10007fff7500: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
      0x10007fff7510: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2
      0x10007fff7520: 00 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x10007fff7540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==17533==ABORTING
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    51	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
    #1  0x00007ffff61c5801 in __GI_abort () at abort.c:79
    #2  0x000000000050376b in __sanitizer::Abort() ()
    #3  0x0000000000500a98 in __sanitizer::Die() ()
    #4  0x00000000004e2d1d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
    #5  0x00000000004e374b in __asan_report_store2 ()
    #6  0x00007ffff7b5f160 in gif_process_raster (s=0x7fffffff6080, g=0x7fffffff6170) at fromgif.c:310
    #7  0x00007ffff7b5c304 in gif_load_next (s=0x7fffffff6080, g=0x7fffffff6170, bgcolor=0x0) at fromgif.c:462
    #8  0x00007ffff7b5a25f in load_gif (buffer=0x62d000000400 "GIF89a\f", size=0xca, bgcolor=0x0, reqcolors=0x100, fuse_palette=0x1, fstatic=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040, allocator=0x604000000190) at fromgif.c:599
    #9  0x00007ffff7b11199 in load_with_builtin (pchunk=0x603000000e20, fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, context=0x610000000040) at loader.c:858
    #10 0x00007ffff7b10117 in sixel_helper_load_image_file (filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif", fstatic=0x0, fuse_palette=0x1, reqcolors=0x100, bgcolor=0x0, loop_control=0x0, fn_load=0x7ffff7b6a090 <load_image_callback>, finsecure=0x0, cancel_flag=0x13b61c0 <signaled>, context=0x610000000040, allocator=0x604000000190) at loader.c:1352
    #11 0x00007ffff7b69d99 in sixel_encoder_encode (encoder=0x610000000040, filename=0x7fffffffc9ed "hbo_fromgif.c:310_1.gif") at encoder.c:1737
    #12 0x0000000000515788 in main (argc=0x4, argv=0x7fffffffc488) at img2sixel.c:457

Tag

#ubuntu