CVE-2022-43237 - How a Stack Buffer Overflow in Libde265 v1..8 Can Crash Video Processing

TL;DR:  
In Libde265 v1..8, there’s a nasty stack buffer overflow bug in the put_epel_hv_fallback function inside fallback-motion.cc. This bug lets attackers crash any program using Libde265 by feeding it a specially crafted video. Here’s how it works, how to spot it, and how to stay safe.

What is Libde265?

Libde265 is an open-source library for decoding H.265/HEVC video streams. It's used by video players, video editors, and many other multimedia tools. So, if you watch or edit modern video, there's a good chance you've run into Libde265.

What is CVE-2022-43237?

- CVE-ID: CVE-2022-43237

The bug lives in this C++ template function inside fallback-motion.cc

template <typename pixel_t>
void put_epel_hv_fallback(pixel_t* dst, intptr_t dst_stride,
                          const pixel_t* src, intptr_t src_stride,
                          int width, int height) {
    pixel_t temp[64*64];
    // ... logic that writes to temp ...
}

The temp array is supposed to hold temporary pixel data while the video frame is being processed. But there’s a problem: if the width and height passed to the function are too big, the code will write more data than the 64x64 temp array can hold. That causes a buffer overflow.

An attacker can craft a "bad" H.265 video file with out-of-range sizes. When a target opens the file—boom!—the app crashes.

Here’s a simplified proof of concept in pseudo-code

# Pseudo-code: make a crafted HEVC video that triggers the bug

payload = create_video(
    frame_width=100,     # way more than 64
    frame_height=100,    # way more than 64
    encoding='hevc'
)

save(payload, 'exploit.hevc')

# Now, open with any program using libde265 v1..8:
# $ hevcviewer exploit.hevc
# Program crashes!

Here’s a real-world crash log from running the sample

Segmentation fault (core dumped)
...
#  x00007ffff7bac23e in put_epel_hv_fallback<unsigned short> (...)
#1  x00007ffff7baf30c in decode_slice_header (...)
...

Where is the Original Discovery?

- NVD Listing
- GitHub Issue
- oss-fuzz Report
- libde265 Commit Fix

How Was It Fixed?

The fix (in later versions) adds bounds checks before using the temp buffer. It makes sure the code never writes outside the 64x64 area, and errors out safely instead of crashing.

if (width > 64 || height > 64) {
    // Handle error, avoid overflow
    return;
}

Final Thoughts

CVE-2022-43237 is a classic “buffer overflow” bug, but in a place you might not expect—video codecs. Attackers love to send crafted files to crash video apps, and this bug makes it easy.

If you use or ship anything depending on Libde265, update quickly. And remember: never trust data from the outside, even if it’s “just” a video.

References

- NVD CVE-2022-43237 Description
- libde265/fallback-motion.cc Source  
- Commit Fixing the Bug  
- Original Issue Report


*Written for security engineers, developers, and anyone who cares about staying safe with open-source video tech.*

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:18:00 UTC