libde265 Out-of-Bounds Heap Write Vulnerability

A heap out-of-bounds write vulnerability has been identified in libde265 versions prior to 1.0.17. This issue arises when a crafted HEVC bitstream is processed, leading to a write operation that exceeds the allocated memory bounds. The vulnerability is triggered by a stale 'ctb_info.log2unitSize' following a change in the Sequence Parameter Set (SPS), where certain width and height parameters remain constant while the logarithmic block size changes. This discrepancy causes the 'set_SliceHeaderIndex' function to access memory beyond the allocated image metadata array, writing two bytes past the end of a heap allocation. The vulnerability has been patched in version 1.0.17.

Impact

Exploitation of this vulnerability results in a confirmed heap out-of-bounds write. In debug builds, the application aborts upon detection, while in release builds, the write operation occurs silently, potentially leading to memory corruption.

Reproduction

The vulnerability can be reproduced by building libde265 version 1.0.16 with AddressSanitizer enabled, and then using a standalone C program that feeds a specially crafted HEVC bitstream into the libde265 decoder. The bitstream must be designed to exploit the SPS handling flaw, specifically by keeping the picture width and height constants while altering the logarithmic block size, causing the decoder to write out of bounds into the metadata array.

Remediation

Users can upgrade to libde265 version 1.0.17 or later to address this vulnerability.