CVE-2022-43238 - Libde265 v1..8 Denial of Service via ff_hevc_put_hevc_qpel_h_3_v_3_sse Crash – Exploit Details and Explanation

Libde265 is among the most popular free HEVC (High Efficiency Video Coding, also known as H.265) decoding libraries. It's used in many multimedia applications to decode video streams efficiently. But like most software, it’s not immune to vulnerabilities. One such issue is CVE-2022-43238, a Denial of Service (DoS) vulnerability discovered in version 1..8.

In this long read, we break down what this vulnerability is, how it can be triggered, some sample code for testing, links to resources, and what you can do about it. All in plain English, for developers and users alike.

What is CVE-2022-43238?

CVE-2022-43238 names a vulnerability where Libde265 can be forced to crash (causing Denial of Service) if it attempts to decode a *maliciously crafted video file*. The problem is traced to the function ff_hevc_put_hevc_qpel_h_3_v_3_sse within the file sse-motion.cc.

What’s scary is that if your application uses Libde265 to handle files provided by outsiders (like on a video sharing site, chat, or upload service), a bad file could knock out the video process or even the entire program.

Why Does This Happen?

The vulnerable function is called during certain video processing operations. In version 1..8, unsafe input handling from malformed video files causes *unknown crashes*—potentially a segmentation fault—that can bring down the software.

More specifically, this seems to relate to the SSE (Streaming SIMD Extensions) optimized functions for motion compensation in the decoder. If the video file is crafted in such a way that the buffer logic gets violated, memory outside expected ranges could be accessed, and the process may crash.

Proof of Concept (PoC)

For research or testing (do not use maliciously!), here is an example C code snippet showing how you might use Libde265 to decode a video file. You'd want to feed it a crafted HEVC file reproducing the crash.

#include <stdio.h>
#include <libde265/de265.h>

int main(int argc, char** argv) {
    de265_decoder_context* decctx = de265_new_decoder();
    FILE* file = fopen("malicious.hevc", "rb");

    if (!file) {
        printf("Cannot open input file.\n");
        return 1;
    }

    unsigned char buf[4096];
    int n;
    while ((n = fread(buf, 1, sizeof(buf), file)) > ) {
        de265_error err = de265_push_data(decctx, buf, n, , , NULL);

        // (Loop goes here; error handling ommitted for brevity)

        if (err != DE265_OK) {
            printf("Error during decode: %d\n", err);
            break;
        }
    }

    de265_free_decoder(decctx);
    fclose(file);
    return ;
}

With a malicious HEVC video file (crafted to trigger the bug), simply running this tool can crash the process.

How an Attacker Might Exploit This

An attacker only needs to get a crafted video file processed by the vulnerable library. This could happen a few ways:

Tricking a user into opening it with a vulnerable video player

Once the file is processed, the crash occurs, causing Denial of Service. While this vulnerability is only known to cause crashes (not remote code execution), it's still dangerous, especially for server apps and endpoints.

The heart of the vulnerability lies in the SSE-optimized function that handles HEVC pixel operations

// This is not the exact code, just an illustration:
void ff_hevc_put_hevc_qpel_h_3_v_3_sse(... /* params */) {
    // ... complex operations on image buffers
    // Error: the following routine can go out-of-bounds if 'src' or 'dst' is not valid due to a malformed file
}

The crafted file causes the decoder to demand impossible buffer offsets or dimensions, triggering invalid memory access—crashing with a segmentation fault.

References

- CVE-2022-43238 at NVD
- libde265 Github page
- Official libde265 site
- Vulnerability disclosure on oss-security

Conclusion

CVE-2022-43238 is a classic example of how even performance-tuned multimedia libraries can be crashed through faulty input handling. Always keep your dependencies up-to-date, especially if you process files from users. Denial of Service attacks are easy to pull off if your backend isn’t well-protected!

For further reading or patching help, check the links above.


*Stay safe, keep your libraries fresh, and always test video parsing with fuzzed files in a safe environment.*

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:23:00 UTC