Heap buffer overflow READ 1 in derive_collocated_motion_vectors

[dlemstra]

The @ImageMagick project is using the oss-fuzz tooling of google and with the attached file there is a heap buffer overflow read in derive_collocated_motion_vectors on this line: https://github.com/strukturag/libde265/blob/e587ef6e8000662b91c35ccb866c2374d3a40e27/libde265/motion.cc#L1217

When stepping through this with a debugger I noticed that refIdxCol was -51.

Test file: test.zip

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22170

[novomesk]

We have similar case in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31520 with a new note:

This crash occurs very frequently on linux platform and is likely preventing the fuzzer kimgio_heif_fuzzer from making much progress. Fixing this will allow more bugs to be found.

[farindk]

I was not able to reproduce this issue. I tried with old versions back to v1.0.8 and on old Ubuntu 16.04. h265 stream extracted from test.heic: issue320.zip

Please check whether the issue is still present as I have fixed several issues that appear related.

[novomesk]

One more comment about the testfile oss-fuzz_31520.zip from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31520

When I tried to convert the clusterfuzz-testcase-kimgio_heif_fuzzer-5318344388509696.heic using heif-convert to PNG, decoding ended with error.

However when I run the the same command via valgrind conversion was successful and I have got following image as output:

After re-building of libde265 and libheif from git, the behavior seems to be identical - error when running natively and same error when running under valgrind.

So I believe the nondeterministic issue is likely fixed. Maybe that was a cause why the case was not always reproducible.