CVE CyberSecurity Database News

CVE-2022-43244 - Heap Buffer Overflow in libde265 v1..8 Explained — An Easy Guide With Example Exploit

Poster -

Libde265 is a popular open-source library for decoding High Efficiency Video Coding (HEVC, a.k.a. H.265) video content. In November 2022, a serious bug was reported in libde265 version 1..8: CVE-2022-43244. This simple writeup breaks down what happened, why it’s dangerous, how attackers can exploit it, and what developers should do to stay safe.

What Is CVE-2022-43244?

This CVE highlights a heap-buffer-overflow vulnerability in the function put_qpel_fallback<unsigned short> found in fallback-motion.cc inside libde265.

Trigger: Maliciously crafted video file

In simpler words, a bad video file sent to any app using this version of libde265 can crash the app or possibly allow further damage.

How Does the Vulnerability Work?

The weakness lies in faulty buffer bounds checking in a critical function responsible for video motion compensation. If a specially-designed video file provides wrong or exaggerated values, the function writes more data than it is supposed to, corrupting heap memory.

Here’s a simplified version (*not the real code*)

template<typename T>
void put_qpel_fallback(const uint8_t* src, int src_stride,
                       T* dst, int dst_stride,
                       int width, int height)
{
    for (int y = ; y < height; y++) {
        for (int x = ; x < width; x++) {
            // Dangerous: no bounds checking!
            dst[y*dst_stride + x] = (T)src[y*src_stride + x];
        }
    }
}

If width or height are larger than what the destination buffer (dst) allows, the code writes past the valid memory area. If an attacker crafts a video with odd dimensions, the library overruns the buffer, leading to a crash.

Exploit Example

A simple proof-of-concept (PoC) can be to take a sample HEVC file and tweak the headers so that a single tiny video frame is announced as much bigger than usual, pushing the decoder to allocate a small buffer but copy too much data.

Here’s pseudo code to test the crash (with any app using the vulnerable libde265)

# Try to decode the malicious video in a tool using libde265
ffmpeg -i evil.hevc -f null -

- The result? ffmpeg (or your video player) crashes—sometimes with a message like "Segmentation fault".

Sample PoC Video

You can generate a bad video like this with any hex editor—change the resolution or frame dimensions in an .hevc file header so it claims huge size, or use AFL or honggfuzz to fuzz the decoder until it crashes.

Note: This is a DoS attack, but buffer overflows can sometimes be upgraded to arbitrary code execution depending on how the overrun behaves.

Is There a Fix?

Yes! The bug was patched by adding proper bounds checking in libde265’s internal routines. You should update to libde265 v1..9 or later.

Links:  
- Official Patch
- libde265 Downloads
- NVD CVE Reference

If your system uses libde265 for video (via VLC, ffmpeg, GStreamer, etc.), run

dpkg -l | grep libde265  # On Debian/Ubuntu
rpm -q libde265          # On Fedora/RedHat


If you see version 1..8 or earlier, update ASAP.

Always upgrade dependencies regularly.

- If you operate public file upload or video processing features, use sandboxes and process files as an unprivileged user.
- Track CVE feeds or use tools like osv-scanner for your projects.

References

- libde265 GitHub Security Advisory
- libde265 fallback-motion.cc code
- CVE-2022-43244 at NVD
- Example patched code


Conclusion: If you process HEVC video, update libde265 ASAP. Buffer overflows are an old bug class, but they keep coming back as new library code gets released. Stay safe—keep software current and be careful with user-supplied files!

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:25:00 UTC