CVE-2022-43235 - Heap Buffer Overflow Exploit in libde265 v1..8 (ff_hevc_put_hevc_epel_pixels_8_sse)

In October 2022, security researchers discovered a critical heap buffer overflow vulnerability in libde265, an open-source HEVC (High Efficiency Video Coding) decoder. This bug, tracked as CVE-2022-43235, occurs specifically in version 1..8 within the function ff_hevc_put_hevc_epel_pixels_8_sse in the file sse-motion.cc. The vulnerability allows a remote attacker to crash applications built with the vulnerable library simply by tricking them into processing a specially crafted video file—causing a Denial of Service (DoS).

In this long read, we’ll dive into how the bug happens, look at the actual code, show how the exploit works, and recommend ways to stay safe.

What Is libde265?

libde265 is an open-source library for decoding the HEVC standard (H.265). Projects such as ffmpeg, VLC, and GStreamer use this library to handle HEVC video streams.

The Vulnerability: Simple Explanation

A _heap buffer overflow_ happens when a program tries to write more data into a block of memory than it allocated—kind of like pouring a whole gallon into a half-gallon jug. In libde265 v1..8, the function ff_hevc_put_hevc_epel_pixels_8_sse is supposed to process video data using so-called SSE (Streaming SIMD Extensions) instructions for speed. However, the code does not verify that the memory buffer is big enough for all the data it processes.

If someone feeds libde265 a crafted HEVC video with out-of-range values, the function writes outside the boundaries of its allocated memory. This could crash the program, leak information, or in theory, even allow execution of malicious code.

Vulnerable Code Snippet

The culprit is here, simplified for clarity (original source on Github):

void ff_hevc_put_hevc_epel_pixels_8_sse(
    uint8_t *dst, ptrdiff_t dststride,
    uint8_t *src, ptrdiff_t srcstride,
    int width, int height,
    int mx, int my, int bit_depth)
{
    // ... setup ...
    for (int y = ; y < height; y++) {
        // Vulnerable: no bounds check on src/dst buffers!
        __m128i r = _mm_loadu_si128((__m128i*)(src));
        // ... processing ...
        _mm_storeu_si128((__m128i*)(dst), r);
        dst += dststride;
        src += srcstride;
    }
}

Both _mm_loadu_si128 and _mm_storeu_si128 will read and write 16 bytes at once—even if width (the actual video line width) and the allocated memory are smaller. If an attacker manipulates the video file so the line is undersized, this causes libde265 to write outside the allocation.

Exploitation Details

The easiest way to exploit this is to create an HEVC video file with intentionally broken header fields, making width and height values inconsistent with the memory allocations. When the video is played back (for example, through VLC or another player using libde265), the function will access memory it doesn't own.

Here is an example in practical pseudocode

# Pseudocode for a malicious HEVC header
malicious_hevc_data = (
    '0000000164002C01FFD...'  # Valid headers
    '......'  # Video data
    # This part is tweaked to make width/height larger than allocated memory
)
with open('exploit.hevc', 'wb') as f:
    f.write(bytes.fromhex(malicious_hevc_data))

Open this file with a vulnerable player, and it will crash.

Proof-of-Concept:  
You can find actual proof-of-concept exploits at Packet Storm or Exploit-DB.

Information Leaks: Sometimes attackers can read secret data by overflowing into adjacent memory.

- Code Execution: In some cases, it could even be possible for attackers to execute arbitrary code.

While no remote code execution is known for this particular bug at time of writing, any heap overflow in a media decoder can be dangerous, especially given how often media files are loaded automatically in the modern web.

Linux distributions shipping the vulnerable library package.

If you use any application that opens HEVC (H.265) video, especially if you allow files from the Internet, you might be at risk.

Recommended Mitigations

1. Update libde265:  
The bug is fixed in libde265 v1..9 (release notes). If you have a vulnerable version, upgrade as soon as you can:

sudo apt-get update
sudo apt-get install libde265-

Or, build from source

git clone https://github.com/strukturag/libde265.git
cd libde265
git checkout v1..9
./autogen.sh && ./configure && make && sudo make install

2. Use Fuzzing and Memory Safety Tools:
Compile your projects with -fsanitize=address when developing (if using gcc/clang) to catch such bugs early.

3. Sandbox and Limit Exposure:
Don’t process untrusted video files on production servers. Use containers or sandboxes for any media handling.

4. Monitor Advisories:
Watch CVE trackers or US-CERT for updates.

References and More Reading

- libde265 official website
- CVE-2022-43235 at NVD
- libde265 1..8 security advisories
- ExploitDB #51034
- Packet Storm Security Advisory

Summary

CVE-2022-43235 is a critical vulnerability affecting a popular open-source video decoding library, libde265 v1..8. This heap buffer overflow can be triggered by malicious video files, causing application crashes and potentially more severe security breaches. The fix is straightforward: update to the latest version, and be careful when handling untrusted media.

Stay updated and keep your software safe!

*Original post, exclusive for knowledge building. Please share and help secure the open source ecosystem.*

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:17:00 UTC