Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Try to mitigate asan failures. #365

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

See strukturag#345 for my analysis and details…

(This PR is just for discussion.)

(The CVE references are obtained from the Debian security tracker,
which links the issues.)

This makes the following POCs stop failing:

- poc3 (strukturag#337)
- poc7-1 (strukturag#341) CVE-2022-43239 (note: does NOT fix poc7-2)
- poc8-2, poc8-3, poc8-4 (strukturag#342) CVE-2022-43244   (note: does NOT fix poc8-1)
- poc11-1, poc11-2 (strukturag#345) CVE-2022-43249
- poc12 (strukturag#346)
- poc13 (strukturag#347) CVE-2022-43252
- poc16 (strukturag#350)
coldtobi pushed a commit to coldtobi/libde265 that referenced this pull request Dec 12, 2022
(as e.g mc_chroma is using the sps to determine
picture properties, like pic_width_in_luma_samples
and pic_height_in_luma_samples, I *think* this is
more correct.

This PR is for discussion. (See strukturag#345.)
It makes the failures go away, but that does not mean it's correct :)

The following poc will be stop failing if (only) this
patch is applied:

 - poc2  strukturag#336 - CVE-2022-43238
 - poc4  strukturag#338 - CVE-2022-43241
 - poc6-1, poc6-2 strukturag#340 - CVE-2022-43242
 - poc7-1, poc7-2  strukturag#341 - CVE-2022-43239
 - poc8-1 strukturag#342 - CVE-2022-43244
 - poc9-3 strukturag#343 - CVE-2022-43236
 - poc10-2, poc10-3 strukturag#344 - CVE-2022-43237
 - poc16 strukturag#350
 - poc19 strukturag#353

The following are still failing if only this patch is
applied, but they stop failing if strukturag#365 is applied as well, but will
still fail with ONLY strukturag#365 applied (IOW, both are needed)

 - poc1  strukturag#335 - CVE-2022-43240
 - poc3  strukturag#337 - CVE-2022-43235
 - poc5   strukturag#339 - CVE-2022-43423
 - poc9-1,poc9-2, poc9-4  strukturag#343 - CVE-2022-43236
 - poc14  strukturag#348 - CVE-2022-43253
 - poc15  strukturag#349 - CVE-2022-43248
 - poc17-1, poc17-2  strukturag#351
 - poc18 strukturag#352 - CVE-2022-43245
coldtobi pushed a commit to coldtobi/libde265 that referenced this pull request Jan 13, 2023
This is an attempt to improve the mitigations from strukturag#365 and strukturag#366 and picks up an idea I described at strukturag#345:

> One way would be just to look at the pointers of the SPS (fast and easy, but
> may reject more than required), or investigate if the SPS used for the image
> generations are "compatible".

This changes do exactly this: It (very conservativly) checks if the old and new sps have
identical information -- except the reference picture set, which I believe is supposed
to be updated by new sps'). If they are basically identical, the old sps will be
used instead of the new one, (of course, reference image set is updated from the new one)

I'm using standalone operator== and helper functions to avoid changing ABI of the library;
if an ABI bump would be done, of course this should go to the respective classes.

I've tested the patch with several videos, they still play fine.

@farindk I'd really appreciate to receive your feedback; the reason is that I want
to fix the many open CVE's for the package as it is currently in Debian and other distributions…

--
Cheers,
tobi
coldtobi pushed a commit to coldtobi/libde265 that referenced this pull request Jan 13, 2023
This is an attempt to improve the mitigations from strukturag#365 and strukturag#366 and picks up an idea I described at strukturag#345:

> One way would be just to look at the pointers of the SPS (fast and easy, but
> may reject more than required), or investigate if the SPS used for the image
> generations are "compatible".

This changes do exactly this: It (very conservativly) checks if the old and new sps have
identical information -- except the reference picture set, which I believe is supposed
to be updated by new sps'). If they are basically identical, the old sps will be
used instead of the new one, (of course, reference image set is updated from the new one)

I'm using standalone operator== and helper functions to avoid changing ABI of the library;
if an ABI bump would be done, of course this should go to the respective classes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant