Target
libaom < v3.9.0
libvpx < v1.14.1
解释
开源视频编解码库 libaom 中发现的整数溢出漏洞的详细信息已被披露。
该漏洞存在于aom/src/aom_image.c分配新图像缓冲区的img_alloc_helper()函数中。
// static aom_image_t *img_alloc_helper(// aom_image_t *img, aom_img_fmt_t fmt, unsigned int d_w, unsigned int d_h,// unsigned int buf_align, unsigned int stride_align, unsigned int size_align,// unsigned int border, unsigned char *img_data,// aom_alloc_img_data_cb_fn_t alloc_cb, void *cb_priv) {32 unsigned int h, w, s, xcs, ycs, bps, bit_depth;// ...107 /* Calculate storage sizes given the chroma subsampling */108 w = align_image_dimension(d_w, xcs, size_align);109 h = align_image_dimension(d_h, ycs, size_align);110111 s = (fmt & AOM_IMG_FMT_PLANAR) ? w : bps * w / bit_depth; <==== s and w are 32-bit integer variable112 s = (s + 2 * border + stride_align - 1) & ~(stride_align - 1);113 stride_in_bytes = s * bit_depth / 8; <==== Integer overflow occurred, causing stride_in_bytes to become a smaller value.114
line 32用于图像操作的变量unsigned int被声明为 32 位大小类型。然后 ,根据line 111和计算出line 112图像的步长 ,在此过程中,如果计算结果超出范围,则会触发整数溢出并变为比预期更小的值。stride_in_bytesunsigned intstride_in_bytes
Stride:与width类似,是指图像一行的大小,但与width不同的是,它是包含padding等的大小。步幅必须大于或等于宽度。
115 /* Allocate the new image */116 if (!img) {117 img = (aom_image_t *)calloc(1, sizeof(aom_image_t));118119 if (!img) goto fail;120121 img->self_allocd = 1;122 }123124 img->img_data = img_data;125126 if (!img_data) {127 const uint64_t alloc_size =128 (fmt & AOM_IMG_FMT_PLANAR)129 ? (uint64_t)(h + 2 * border) * stride_in_bytes * bps / bit_depth130 : (uint64_t)(h + 2 * border) * stride_in_bytes;131132 if (alloc_size != (size_t)alloc_size) goto fail;133134 if (alloc_cb) {135 const size_t padded_alloc_size = (size_t)alloc_size + buf_align - 1;136 img->img_data = (uint8_t *)alloc_cb(cb_priv, padded_alloc_size);137 if (img->img_data) {138 img->img_data = (uint8_t *)aom_align_addr(img->img_data, buf_align);139 }140 img->img_data_owner = 0;141 } else {142 img->img_data = (uint8_t *)aom_memalign(buf_align, (size_t)alloc_size); <==== Object allocation143 img->img_data_owner = 1;144 }145 img->sz = (size_t)alloc_size;146 }
然后,计算 ,使用 ,line 127 ~ 130计算出的值小于预期,然后分配与 一样多的图像。stride_in_bytesalloc_sizeline 142alloc_size
分配的内存地址分别存储在分配的新图像对象img的img_date和字段中。szalloc_size
147148 if (!img->img_data) goto fail;149150 img->fmt = fmt;151 img->bit_depth = bit_depth;152 // aligned width and aligned height153 img->w = w;154 img->h = h;155 img->x_chroma_shift = xcs;156 img->y_chroma_shift = ycs;157 img->bps = bps;
img原始值存储在对象的w字段中,但是在后面处理图像时,使用计算出的图像大小可能会由于整数溢出而小于预期,这可能会导致堆溢出超出分配的堆。wimg→wstride_in_bytesalloc_sizealloc_size
该漏洞的补丁包括unsigned int将声明为类型的变量更改为类型。uint64_t
diff --git a/aom/src/aom_image.c b/aom/src/aom_image.cindex 3b1c33d05..60459bf71 100644--- a/aom/src/aom_image.c+++ b/aom/src/aom_image.c@@ -36,7 +36,7 @@ static aom_image_t *img_alloc_helper(/* NOTE: In this function, bit_depth is either 8 or 16 (if* AOM_IMG_FMT_HIGHBITDEPTH is set), never 10 or 12.*/- unsigned int h, w, s, xcs, ycs, bps, bit_depth;+ uint64_t h, w, s, xcs, ycs, bps, bit_depth;unsigned int stride_in_bytes;if (img != NULL) memset(img, 0, sizeof(aom_image_t));
vpx_img_alloc()在 libvpx 函数中也发现了相同的整数溢出漏洞,该函数与 libaom 具有类似的实现,并被分配了 CVE-2024-5197。
[하루한줄] CVE-2024-5171: libaom의 integer overflow 취약점 _https://hackyboiz.github.io/2024/06/10/l0ch/2024-06-10/
原文始发于微信公众号(Ots安全):CVE-2024-5171:libaom_中的整数溢出 漏洞分析
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论