CVE-2022-43249 - Heap Buffer Overflow in Libde265 v1..8 (Denial of Service via Crafted Video File)

Date of Discovery: September 2022  
Component: libde265 v1..8  
Vulnerability Type: Heap Buffer Overflow  
CVE ID: CVE-2022-43249


In this article, we'll break down CVE-2022-43249, a heap buffer overflow vulnerability discovered in libde265 v1..8, an open-source implementation of the H.265 (HEVC) video codec. We'll discuss what the bug is, why it's dangerous, and how an attacker might exploit it by submitting a specially crafted HEVC file. We'll also look at code snippets from the vulnerable function, giving you a developer's-eye view.

🚨 What Is libde265?

libde265 is a widely used library that decodes H.265/HEVC video files. It's commonly found in video players and video processing tools, making it a critical component for multimedia applications across Linux and other platforms.

🛑 What is CVE-2022-43249?

CVE-2022-43249 is a heap buffer overflow found in libde265 version 1..8. The flaw sits in the function template put_epel_hv_fallback<unsigned short> within the file fallback-motion.cc. If an attacker tricks a user into decoding a malicious HEVC video file, the bug can be triggered, causing a crash and potentially making your application unusable (Denial of Service). While there's no confirmed code execution, heap buffer overflows sometimes lead to more serious security issues (like arbitrary code execution) if exploited smartly.

Where's the bug?

The vulnerable function is put_epel_hv_fallback<unsigned short> in fallback-motion.cc.

🔍 Dive Into The Vulnerable Code

Here's an illustrative snippet from a related part of libde265. This demonstrates how improper bounds checking opens up the memory corruption bug:

template <>
void put_epel_hv_fallback<unsigned short>(
    unsigned short* dst, ptrdiff_t dst_stride,
    const unsigned short* src, ptrdiff_t src_stride,
    int width, int height,
    const int16_t* coeff_hz,
    const int16_t* coeff_vt, int shift)
{
    unsigned short temp_block[SIZE]; // Fixed size temporary buffer

    for (int y = ; y < height; y++) {
        for (int x = ; x < width; x++) {
            // Processing with coefficients ...
            temp_block[y * width + x] = ...; // POTENTIAL OVERFLOW!
        }
    }
    // copy back to destination
}

temp_block is set to a fixed size (for example, SIZE == 16 * 16 = 256).

- But, width and height can actually be larger than 16, especially if fed by a corrupt or designed-to-break HEVC file.
- When an attacker provides huge width or height in the video stream, the loop writes outside the bounds of temp_block, corrupting critical memory on the heap.

The typical exploitation method is simple for a denial-of-service attack

1. The attacker creates a malicious HEVC video file with specially-crafted headers (causing width or height to be unexpectedly large).
2. The victim opens this video file in a vulnerable libde265-based application (could be a video player or video converter).
3. When the file is loaded, the function writes past the end of temp_block, corrupting the heap, which leads to a crash.

Example proof-of-concept crash (pseudocode)

# Possible fuzzing pseudocode
with open("crash.hevc", "wb") as f:
    f.write(b"\x00"*100) # junk header
    f.write(b"\xFF" * 900) # oversized frame data causing big width/height
# Loading this file in a video tool linked with libde265 v1..8 will trigger the bug.

It's easy to imagine a real-world attacker uploading such files to attack web servers, video conversion tools, or tricking users into opening booby-trapped media.

How to stay safe?

- Upgrade libde265: The maintainers patched this bug after its discovery (see libde265 Github issues and commit log). Update to the latest version.

Isolate risky code: Use sandboxing where possible when processing untrusted video files.

- Use fuzz-tested dependencies: Regularly check for CVEs in multimedia libraries your software relies on.

📝 References & Further Reading

- CVE-2022-43249 at NVD
- libde265 Official Site
- GitHub Commit Fix
- OSS-Fuzz Issue Tracker

⚠️ Conclusion

CVE-2022-43249 is a classic heap buffer overflow — simple, dangerous, and high-impact for any service or app decoding untrusted HEVC files using libde265 v1..8. The attack is as easy as playing a video. If you maintain or use tools depending on this library, make sure to update as soon as possible, and always process media in a safe, sandboxed environment.

Stay safe, and always keep an eye on your software dependencies for CVEs like this!

Timeline

Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:25:00 UTC