From ba2c795bcb324cc7e9bfdbcc4e122a6954cf1fde Mon Sep 17 00:00:00 2001 From: Dirk Farin Date: Tue, 24 Jan 2023 16:53:06 +0100 Subject: [PATCH] [PATCH] SAO: fix illegal table access when input pixel is out of range (fixes #351) Gbp-Pq: Name CVE-2022-43245-fix-asan-wildpointer-apply_sao_internal.patch --- libde265/sao.cc | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/libde265/sao.cc b/libde265/sao.cc index 62e8c06..7cb6014 100644 --- a/libde265/sao.cc +++ b/libde265/sao.cc @@ -211,11 +211,21 @@ void apply_sao_internal(de265_image* img, int xCtb,int yCtb, continue; } - int bandIdx = bandTable[ in_img[xC+i+(yC+j)*in_stride]>>bandShift ]; - // Shifts are a strange thing. On x86, >>x actually computes >>(x%64). // So we have to take care of large bandShifts. - if (bandShift>=8) { bandIdx=0; } + int bandIdx; + if (bandShift >= 8) { + bandIdx = 0; + } else { + int pixel = in_img[xC+i+(yC+j)*in_stride]; + + // Note: the input pixel value should never exceed the valid range, but it seems that it still does, + // maybe when there was a decoding error and the pixels have not been filled in correctly. + // Thus, we have to limit the pixel range to ensure that we have no illegal table access. + pixel = Clip3(0,maxPixelValue, pixel); + + bandIdx = bandTable[ pixel>>bandShift ]; + } if (bandIdx>0) { int offset = saoinfo->saoOffsetVal[cIdx][bandIdx-1]; @@ -237,10 +247,13 @@ void apply_sao_internal(de265_image* img, int xCtb,int yCtb, for (int j=0;j>bandShift ]; - // see above - if (bandShift>=8) { bandIdx=0; } + int bandIdx; + if (bandShift >= 8) { + bandIdx = 0; + } else { + bandIdx = bandTable[ in_img[xC+i+(yC+j)*in_stride]>>bandShift ]; + } if (bandIdx>0) { int offset = saoinfo->saoOffsetVal[cIdx][bandIdx-1]; -- 2.30.2