Libde265 is an open source implementation of the High Efficiency Video Coding (HEVC, also known as H.265) standard. Many popular media players and tools use libde265 to decode H.265 video files. In version 1..8 of this library, a serious vulnerability was discovered: CVE-2022-43248, a heap buffer overflow in the put_weighted_pred_avg_16_fallback function found in the fallback-motion.cc file.
This post breaks down what the vulnerability is, how it can be exploited, and shows some basic code to demonstrate the problem. For those interested in details and staying secure, we also provide reference links and guidance.
Potential Impact: Denial of Service (DoS) via crafted video file
The vulnerability allows attackers to cause the software using libde265 to crash by making it read or write outside the bounds of memory buffers allocated on the heap.
How Does It Work?
At a high level, put_weighted_pred_avg_16_fallback handles certain pixel motion calculations for video playback. If the video file is intentionally malformed, this function will read or write past the end of an allocated buffer (heap memory), causing unexpected behavior like a crash.
Triggering the Vulnerability
To exploit CVE-2022-43248, an attacker simply needs to create a specially crafted video file. When libde265 tries to decode this file, the bad data will cause put_weighted_pred_avg_16_fallback to write past a buffer’s end, crashing the process.
Why does this matter?
- On media servers or desktop video players, malicious videos could crash the application, causing loss of service or even potential points of entry for further attacks.
Minimal Exploit Demonstration
While the specific trigger depends on video encoding details, here’s a simple idea of what the problematic code looks like.
Vulnerable Code Pattern
// fallback-motion.cc (partial, pseudo-code)
void put_weighted_pred_avg_16_fallback(uint8_t* dst, const uint8_t* src, int stride) {
for (int y = ; y < 16; ++y) {
for (int x = ; x < 16; ++x) {
dst[y * stride + x] = (src[y * stride + x] + dst[y * stride + x] + 1) >> 1;
// No bounds checking on dst or src!
}
}
}
If stride or the supplied data sizes are not as expected, these indexes may go out of the allocated buffer, causing a heap buffer overflow.
Exploitation Proof of Concept
Below is a conceptual Python script that creates a malformed video file (this will not playback, but illustrates the approach):
# This is a simplified example for educational purposes only.
with open('crash.hevc', 'wb') as f:
# Write minimal HEVC headers
f.write(b"\x00\x00\x00\x01\x42\x01\x01\x60")
# Bad slice that causes large stride and out of bounds
f.write(b"\x00" * 1024 * 1024) # 1MB of zeros to cause unexpected behavior
Feed this file to any player using libde265 v1..8, and it may crash.
Note: The actual trigger depends on the internal layout of the HEVC file and how parameters are set, but the general principle is that oversized data can cause the buffer overflow.
Fix and Recommendations
The issue has been fixed in later versions of libde265. Always update your libraries and software to the latest versions.
If you maintain any server or service using libde265, patch immediately or apply mitigations, such as sandboxing the video decoding.
References
- CVE-2022-43248 on NVD
- libde265 GitHub Repository
- OSS-Fuzz issue #52757 - Heap-buffer-overflow in put_weighted_pred_avg_16_fallback
- Mitre CVE Entry
- PoC reports and technical details
Conclusion
CVE-2022-43248 shows why even widely-used open source libraries can harbor critical bugs. If you build or operate anything that processes video files, pay attention to library security, validate your inputs, and update often.
Stay safe, patch often, and always treat untrusted video files with caution.
*This post is for educational purposes only — do not use vulnerabilities for unauthorized action. Responsible disclosure and patching protects everyone!*
Timeline
Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:25:00 UTC