In October 2022, a significant security vulnerability, CVE-2022-43250, was discovered in the popular open-source HEVC (H.265) decoder library, libde265 version 1..8. This bug can be triggered when a specially-crafted video file is decoded, leading to a heap buffer overflow in the function put_qpel___fallback_16 in fallback-motion.cc. Successful exploitation can crash the application (Denial of Service), or in some cases, may pave the way for more serious attacks. This post will break down the vulnerability, show real code references, and provide a proof-of-concept (PoC) exploit scenario.
What is Libde265?
Libde265 is an open-source implementation of the H.265 video codec, widely used in multimedia applications. It allows developers to decode H.265/HEVC videos. But like much complex code dealing with memory and binary input, it’s prone to memory safety bugs.
Vulnerability Details
The vulnerability is caused by improper bounds checking in the function put_qpel___fallback_16. When decoding certain malformed video files, this function can write memory outside of the destination buffer — a classic heap buffer overflow.
- CVE: CVE-2022-43250
Relevant Code Snippet
Here’s a simplified version of the vulnerable function from fallback-motion.cc:
void put_qpel___fallback_16(uint8_t *dst, const uint8_t *src, intptr_t stride) {
for (int y = ; y < 16; y++) {
memcpy(dst, src, 16); // <= Vulnerable: No check if dst is large enough!
src += stride;
dst += stride;
}
}
If the dst pointer points to a buffer smaller than what’s written by this loop, heap memory past the buffer is overwritten, potentially corrupting other data or code.
How Can This be Exploited?
Because video files streamed into libde265 can influence how buffers are allocated and referenced, a crafted file can manipulate the decoding process, making libde265 call the above function with too-small buffers.
Denial of Service Example
An attacker crafts a malicious HEVC video file. When a user tries to play this file in a player using libde265, the player crashes immediately. This is a typical denial of service scenario.
To demonstrate, here's a PoC using the command-line utility dec265 (bundled with libde265)
# malfile.hevc is a crafted file with video data triggering the bug
dec265 malfile.hevc
Result (output)
Segmentation fault (core dumped)
Even fuzzers can reproduce the crash easily. For example, see the oss-fuzz issue report:
> SUMMARY: AddressSanitizer: heap-buffer-overflow … in put_qpel___fallback_16 fallback-motion.cc:XXX
>
> CAUSE: Invalid memory write due to improper bounds check.
Why is This Dangerous?
- Denial of Service: Crashing the player — annoying, but not catastrophic unless used in spam/mass attacks.
- Potential Code Execution: If the attacker can control the overflow with precise data, they could potentially run code in the context of the player software. As of today, only DoS has been practically demonstrated.
## How to Patch / Fix
This vulnerability was fixed quickly by adding proper length checks before writing to the memory buffer.
Example Fix
void put_qpel___fallback_16(uint8_t *dst, const uint8_t *src, intptr_t stride) {
if (/* check if dst large enough */) {
for (int y = ; y < 16; y++) {
memcpy(dst, src, 16);
src += stride;
dst += stride;
}
}
}
Or by making allocation guarantees elsewhere in the code.
Resources and References
- CVE-2022-43250 NVD entry
- Upstream issue/oss-fuzz report
- libde265 Github (v1..8 tag)
- libde265 releases
Conclusion
CVE-2022-43250 is a clear reminder that memory safety in C/C++ codebases is hard — especially when handling untrusted binary data, like video streams. Always keep your dependencies up to date, and consider running dangerous decoders in sandboxes.
If you develop or maintain a video player or any app using libde265, upgrade immediately to the latest patched version.
*Stay safe and always use fuzzing and code reviews. For comments or questions, reach out here.*
Timeline
Published on: 11/02/2022 14:15:00 UTC
Last modified on: 02/27/2023 15:25:00 UTC