libde265
libde265 copied to clipboard
Heap buffer overflow READ 1 in derive_collocated_motion_vectors
The @ImageMagick project is using the oss-fuzz tooling of google and with the attached file there is a heap buffer overflow read in derive_collocated_motion_vectors
on this line:
https://github.com/strukturag/libde265/blob/e587ef6e8000662b91c35ccb866c2374d3a40e27/libde265/motion.cc#L1217
When stepping through this with a debugger I noticed that refIdxCol
was -51
.
Test file: test.zip
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22170
We have similar case in https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31520 with a new note:
This crash occurs very frequently on linux platform and is likely preventing the fuzzer kimgio_heif_fuzzer from making much progress. Fixing this will allow more bugs to be found.
I was not able to reproduce this issue. I tried with old versions back to v1.0.8 and on old Ubuntu 16.04. h265 stream extracted from test.heic: issue320.zip
Please check whether the issue is still present as I have fixed several issues that appear related.
One more comment about the testfile oss-fuzz_31520.zip from https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31520
When I tried to convert the clusterfuzz-testcase-kimgio_heif_fuzzer-5318344388509696.heic
using heif-convert
to PNG, decoding ended with error.
However when I run the the same command via valgrind
conversion was successful and I have got following image as output:
After re-building of libde265 and libheif from git, the behavior seems to be identical - error when running natively and same error when running under valgrind.
So I believe the nondeterministic issue is likely fixed. Maybe that was a cause why the case was not always reproducible.