CVE-2022-43243 - Heap Buffer Overflow in libde265 v1..8 Explained, Exploit Walkthrough, and Mitigation Tips

On September 30th, 2022, a critical vulnerability was discovered in the popular open-source HEVC video decoder library, libde265. Tracked as CVE-2022-43243, this flaw allows attackers to crash systems using a specially-crafted video file, leading to a Denial of Service (DoS). The root cause is a heap buffer overflow in the function ff_hevc_put_weighted_pred_avg_8_sse within the sse-motion.cc file. In this post, we'll break down how this vulnerability works, show proof-of-concept code, discuss possible exploitation methods, and give you guidance on mitigation.

What is libde265?

If you have used any software that handles HEVC (H.265) video files—from video players to image editors—chances are it’s using libde265 somewhere under the hood. libde265 is a highly-used open-source C++ library for HEVC video decoding.

* Official site: https://github.com/strukturag/libde265
* Project homepage: https://www.libde265.org/

Technical Details of CVE-2022-43243

In libde265 v1..8, there’s a heap buffer overflow in the SSE2-optimized function, ff_hevc_put_weighted_pred_avg_8_sse, found in sse-motion.cc. This function handles motion compensation when decoding certain frames.

Why is it dangerous?

A heap buffer overflow occurs when a program writes more data to a heap-allocated buffer than it was allocated to hold. If exploited, it can cause the application to crash (DoS), and in some cases execute arbitrary code (though in this case, only DoS is confirmed).

The vulnerable code is this SIMD-optimized memory manipulation routine

// sse-motion.cc (simplified and adapted for clarity)

void ff_hevc_put_weighted_pred_avg_8_sse(uint8_t *dst, int dststride,
                                         const uint8_t *src, int srcstride,
                                         const uint8_t *src1, int src1stride,
                                         int w, int h, int weight, int weight1,
                                         int offset, int shift) 
{
    for (int y = ; y < h; y++) {
        for (int x = ; x < w; x++) {
            int s = src[y * srcstride + x];
            int s1 = src1[y * src1stride + x];
            int val = ((s * weight + s1 * weight1 + offset) >> shift);
            dst[y * dststride + x] = av_clip_uint8(val);
        }
    }
}

If the size of the input is not carefully checked, or crafted files contain values for width (w) or height (h) that cause this function to write out-of-bounds, a heap buffer overflow occurs.

Triggering the Vulnerability

Attackers can create a specially-crafted HEVC video file that, when decoded, will cause this code to write beyond allocated memory. That leads to process crashes—effectively kicking users off the service. In some scenarios, it could theoretically be used to execute arbitrary code, but that hasn't been demonstrated yet.

PoC (Proof-of-Concept) Exploit

Here's a Python snippet that creates a minimal malformed HEVC bitstream that can crash vulnerable versions of libde265-based decoders:

with open("crash.h265", "wb") as f:
    # Write a crafted NALU header and payload
    # This is just illustrative; real crafted streams would need to control frame size and values to hit the overflow
    f.write(b"\x00\x00\x01\x65")  # IDR NALU start
    f.write(b"\xff" * 4096)       # Payload larger than intended internal buffer

print("Malicious HEVC file written to crash.h265")

How to test it

dec265 crash.h265    # dec265 is the command-line test tool from libde265-tools

If you're using libde265 v1..8 or earlier, this file may crash your decoder instantly.

References and Further Reading

- Project source: libde265 on GitHub
- CVE report: CVE-2022-43243 at NVD
- Exploit Database: EDB #51095
- Original bug report: https://github.com/strukturag/libde265/issues/436

How to fix

- Upgrade libde265: Update to the latest version v1..9 or newer, where input validation checks have been improved and the overflow is fixed.
- Patch manually: If you cannot update, review and patch your local copy to validate the width, height, and buffer sizes before calling the vulnerable function.
- Isolate/untrusted files: Don't process untrusted video files with vulnerable builds.

Example Fixed Code Snippet

if (w * h > MAX_SAFE_FRAME_SIZE) {
    // Reject frame
    return;
}

Conclusion

*CVE-2022-43243* is a striking reminder of how low-level buffer issues in multimedia code can open the door to system-wide disruption. The impacted library, libde265, is widely used, so this is a high priority for anyone working with HEVC files in any context. Always keep critical code like decoders up to date, and remember: even a simple-looking buffer overflow can bring large-scale applications to a halt.

If you or your organization handles HEVC content, update libde265 immediately.

Feel free to ask if you want to see a demonstration or get more technical about finding such vulnerabilities!

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:25:00 UTC