Fix vuln OSV-2024-1124

[aled-ua]

[Warning] This PR is generated by AI

1. PR Title: Fix for Heap-Buffer-Overflow Vulnerability in libavc - OSV-2024-1124

2. PR Description:

   • Bug Type: Heap-Buffer-Overflow
   • Summary: A heap-buffer-overflow vulnerability was identified in the libavc project. The program attempted to access memory outside the allocated heap buffer during bitstream processing. Specifically, the error occurred when trying to read 4 bytes at an invalid offset in the ih264d_read_coeff4x4_cabac function.
   • Fix Summary:
     • The vulnerability was fixed by adding bounds checking using the EXCEED_OFFSET macro to ensure that the bitstream's offset (u4_ofst) does not exceed the maximum permissible offset (u4_max_ofst).
     • Two bounds checks were added:
       1. Before initialization in the ih264d_read_coeff4x4_cabac function.
       2. Before further processing to guarantee memory safety.
     • These changes prevent any invalid memory access, ensuring the program operates securely within the allocated memory.
   • Effect: This fix improves the security by preventing unauthorized memory access, which could potentially lead to crashes or exploitation. The stability of the program is also enhanced by ensuring robust handling of bitstream offsets.

3. Sanitizer Report Summary:
   The sanitizer detected a heap-buffer-overflow error. The program attempted to read 4 bytes beyond the allocated buffer's boundary of 479223 bytes. The error occurred in the ih264d_read_coeff4x4_cabac function and propagated through multiple function calls. The root cause was identified as insufficient bounds checking on the bitstream offset.

4. Full Sanitizer Report:

   ==11398==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd359e4e7f4 at pc 0x55e5a1d27472 bp 0x7fff58a46da0 sp 0x7fff58a46d98
   READ of size 4 at 0x7fd359e4e7f4 thread T0
       #0 0x55e5a1d27471 in ih264d_read_coeff4x4_cabac /root/decoder/ih264d_parse_cabac.c:412:33
       #1 0x55e5a1d298cd in ih264d_cabac_parse_8x8block /root/decoder/ih264d_parse_cabac.c:1107:15
       #2 0x55e5a1d2ac72 in ih264d_parse_residual4x4_cabac /root/decoder/ih264d_parse_cabac.c:1260:29
       #3 0x55e5a1d48f8f in ih264d_parse_imb_cabac /root/decoder/ih264d_parse_islice.c:724:5
       #4 0x55e5a1d4cc02 in ih264d_parse_islice_data_cabac /root/decoder/ih264d_parse_islice.c:1087:23
       #5 0x55e5a1d4e2c3 in ih264d_parse_islice /root/decoder/ih264d_parse_islice.c:1489:15
       #6 0x55e5a1c01165 in imvcd_parse_islice /root/decoder/mvc/imvcd_slice_functions.c:1894:9
       #7 0x55e5a1bf7397 in imvcd_parse_decode_slice /root/decoder/mvc/imvcd_slice_functions.c:2351:25
       #8 0x55e5a1bee7e2 in imvcd_nalu_parser /root/decoder/mvc/imvcd_nalu_parser.c:809:41
       #9 0x55e5a1bd6023 in imvcd_view_decode /root/decoder/mvc/imvcd_api.c:827:29
       #10 0x55e5a1bcac20 in imvcd_decode /root/decoder/mvc/imvcd_api.c:1238:20
       #11 0x55e5a1bca35b in imvcd_api_function /root/decoder/mvc/imvcd_api.c:1600:20
       #12 0x55e5a1bc953f in Codec::decodeFrame(unsigned char const*, unsigned long, unsigned long*) /root/fuzzer/mvc_dec_fuzzer.cpp:339:11
       #13 0x55e5a1bc9e7f in LLVMFuzzerTestOneInput /root/fuzzer/mvc_dec_fuzzer.cpp:400:43
       #14 0x55e5a1ad2cf4 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/root/out/mvc_dec_fuzzer+0x4fcf4) (BuildId: 1ae70dcae4934d8803b96fbb9de78dfc8ad21b88)
       #15 0x55e5a1abbe26 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/root/out/mvc_dec_fuzzer+0x38e26) (BuildId: 1ae70dcae4934d8803b96fbb9de78dfc8ad21b88)
       #16 0x55e5a1ac18da in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/root/out/mvc_dec_fuzzer+0x3e8da) (BuildId: 1ae70dcae4934d8803b96fbb9de78dfc8ad21b88)
       #17 0x55e5a1aec096 in main (/root/out/mvc_dec_fuzzer+0x69096) (BuildId: 1ae70dcae4934d8803b96fbb9de78dfc8ad21b88)
       #18 0x7fd3600831c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #19 0x7fd36008328a in __libc_start_main csu/../csu/libc-start.c:360:3
       #20 0x55e5a1ab69f4 in _start (/root/out/mvc_dec_fuzzer+0x339f4) (BuildId: 1ae70dcae4934d8803b96fbb9de78dfc8ad21b88)
   

5. Files Modified:

   • decoder/ih264d_parse_cabac.c

   diff --git a/decoder/ih264d_parse_cabac.c b/decoder/ih264d_parse_cabac.c
   index c4a3bd5..5ea496d 100644
   --- a/decoder/ih264d_parse_cabac.c
   +++ b/decoder/ih264d_parse_cabac.c
   @@ -80,6 +80,10 @@ UWORD8 ih264d_read_coeff4x4_cabac(dec_bit_stream_t *ps_bitstrm,
   
       ps_tu_4x4 = (tu_sblk4x4_coeff_data_t *)ps_dec->pv_parse_tu_coeff_data;
       ps_tu_4x4->u2_sig_coeff_map = 0;
   +
   +    /* Safety: Ensure offset is within permissible bounds */
   +    if (EXCEED_OFFSET(ps_bitstrm))
   +        return 0;
       pi2_coeff_data = &ps_tu_4x4->ai2_level[0];
   
       u4_offset = ps_bitstrm->u4_ofst;
   @@ -132,6 +136,10 @@ UWORD8 ih264d_read_coeff4x4_cabac(dec_bit_stream_t *ps_bitstrm,
   
       }
   
   +    /* Safety: Check before further processing */
   +    if (EXCEED_OFFSET(ps_bitstrm))
   +        return 0;
   +
       if(u4_coded_flag)
       {

6. Patch Validation: The patch has been validated and confirmed to resolve the issue identified in the sanitizer report. No new bugs were introduced during testing.

7. Links:

   • Original Vulnerability Report
   • Proof of Concept (PoC)