Segmentation fault in derive_spatial_luma_vector_prediction

Question

Segmentation fault in derive_spatial_luma_vector_prediction

Closed this issue 2 years ago · 2 comments

Hello,

I am able to reproduce crash with:
Segmentation_fault.zip

running
heif-convert clusterfuzz-testcase-minimized-kimgio_heif_fuzzer-4987055163179008.heic output3.png

#0  0x00007ffff73ba579 in derive_spatial_luma_vector_prediction (ctx=ctx@entry=0x55555557ce10, img=img@entry=0x5555555865b0, shdr=shdr@entry=0x555555586020, xC=xC@entry=72, yC=yC@entry=120, nCS=nCS@entry=8,
    xP=72, yP=120, nPbW=4, nPbH=8, X=0, refIdxLX=0, partIdx=0, out_availableFlagLXN=0x7fffffff8286 "\001", out_mvLXN=0x7fffffff827e) at motion.cc:1739
#1  0x00007ffff73babfa in fill_luma_motion_vector_predictors (ctx=ctx@entry=0x55555557ce10, shdr=shdr@entry=0x555555586020, img=img@entry=0x5555555865b0, xC=xC@entry=72, yC=yC@entry=120, nCS=nCS@entry=8, xP=72,
    yP=120, nPbW=4, nPbH=8, l=0, refIdx=0, partIdx=0, out_mvpList=0x7fffffff8310) at motion.cc:1905
#2  0x00007ffff73bad85 in luma_motion_vector_prediction (ctx=ctx@entry=0x55555557ce10, shdr=shdr@entry=0x555555586020, img=img@entry=0x5555555865b0, motion=..., xC=xC@entry=72, yC=yC@entry=120, nCS=8, xP=72,
    yP=120, nPbW=4, nPbH=8, l=0, refIdx=0, partIdx=0) at motion.cc:1978
#3  0x00007ffff73bb011 in motion_vectors_and_ref_indices (ctx=ctx@entry=0x55555557ce10, shdr=shdr@entry=0x555555586020, img=img@entry=0x5555555865b0, motion=..., xC=xC@entry=72, yC=yC@entry=120, xB=0, yB=0,
    nCS=8, nPbW=4, nPbH=8, partIdx=0, out_vi=0x7fffffff847c) at motion.cc:2062
#4  0x00007ffff73bc23d in decode_prediction_unit (ctx=0x55555557ce10, shdr=0x555555586020, img=0x5555555865b0, motion=..., xC=xC@entry=72, yC=yC@entry=120, xB=0, yB=0, nCS=8, nPbW=4, nPbH=8, partIdx=0)
    at motion.cc:2102
#5  0x00007ffff73ca435 in read_prediction_unit (tctx=tctx@entry=0x7fffffff8840, xC=xC@entry=72, yC=yC@entry=120, xB=xB@entry=0, yB=yB@entry=0, nPbW=nPbW@entry=4, nPbH=8, ctDepth=3, nCS=8, partIdx=0)
    at slice.cc:4136
#6  0x00007ffff73cb74b in read_coding_unit (tctx=tctx@entry=0x7fffffff8840, x0=x0@entry=72, y0=y0@entry=120, log2CbSize=log2CbSize@entry=3, ctDepth=ctDepth@entry=3) at slice.cc:4504
#7  0x00007ffff73cbc79 in read_coding_quadtree (tctx=0x7fffffff8840, x0=72, y0=120, log2CbSize=3, ctDepth=3) at slice.cc:4652
#8  0x00007ffff73cbbaa in read_coding_quadtree (tctx=0x7fffffff8840, x0=64, y0=112, log2CbSize=4, ctDepth=2) at slice.cc:4645
#9  0x00007ffff73cbbf6 in read_coding_quadtree (tctx=0x7fffffff8840, x0=64, y0=96, log2CbSize=5, ctDepth=1) at slice.cc:4641
#10 0x00007ffff73cbbf6 in read_coding_quadtree (tctx=tctx@entry=0x7fffffff8840, x0=x0@entry=64, y0=y0@entry=64, log2CbSize=6, ctDepth=ctDepth@entry=0) at slice.cc:4641
#11 0x00007ffff73cbd6a in read_coding_tree_unit (tctx=tctx@entry=0x7fffffff8840) at slice.cc:2861
#12 0x00007ffff73cc073 in decode_substream (tctx=tctx@entry=0x7fffffff8840, block_wpp=block_wpp@entry=false, first_independent_substream=first_independent_substream@entry=true) at slice.cc:4741
#13 0x00007ffff73cc460 in read_slice_segment_data (tctx=tctx@entry=0x7fffffff8840) at slice.cc:5054
#14 0x00007ffff73a78d8 in decoder_context::decode_slice_unit_sequential (this=this@entry=0x55555557ce10, imgunit=imgunit@entry=0x5555555a6f80, sliceunit=sliceunit@entry=0x5555555a7230) at decctx.cc:852
#15 0x00007ffff73a8a73 in decoder_context::decode_slice_unit_parallel (this=this@entry=0x55555557ce10, imgunit=imgunit@entry=0x5555555a6f80, sliceunit=sliceunit@entry=0x5555555a7230) at decctx.cc:954
#16 0x00007ffff73a8b8c in decoder_context::decode_some (this=this@entry=0x55555557ce10, did_work=did_work@entry=0x7fffffffd210) at decctx.cc:739
#17 0x00007ffff73ab1a1 in decoder_context::read_slice_NAL (this=this@entry=0x55555557ce10, reader=..., nal=nal@entry=0x55555557ea60, nal_hdr=...) at decctx.cc:697
#18 0x00007ffff73ab2cd in decoder_context::decode_NAL (this=this@entry=0x55555557ce10, nal=0x55555557ea60) at decctx.cc:1239
#19 0x00007ffff73ab5fe in decoder_context::decode (this=0x55555557ce10, more=0x7fffffffd334) at decctx.cc:1327
#20 0x00007ffff739ff44 in de265_decode (de265ctx=<optimized out>, more=<optimized out>) at de265.cc:352
#21 0x00007ffff7f760b3 in libde265_v1_decode_image (decoder_raw=0x55555557bd60, out_img=0x7fffffffd3f0) at plugins/heif_decoder_libde265.cc:324
#22 0x00007ffff7f53e27 in heif::HeifContext::decode_image_planar (this=0x5555555780f0, ID=<optimized out>, img=std::shared_ptr<heif::HeifPixelImage> (empty) = {...},
    out_colorspace=out_colorspace@entry=heif_colorspace_RGB, options=options@entry=0x55555557bea0, alphaImage=false) at heif_context.cc:1181
#23 0x00007ffff7f550b3 in heif::HeifContext::decode_image_user (this=<optimized out>, ID=<optimized out>, img=std::shared_ptr<heif::HeifPixelImage> (empty) = {...}, out_colorspace=heif_colorspace_RGB,
    out_chroma=heif_chroma_interleaved_RRGGBB_BE, options=0x55555557bea0) at heif_context.cc:1088
#24 0x00007ffff7f42d8e in heif_decode_image (in_handle=0x55555557bf40, out_img=0x7fffffffd868, colorspace=<optimized out>, chroma=<optimized out>, options=<optimized out>) at heif.cc:946
#25 0x0000555555559644 in main (argc=<optimized out>, argv=<optimized out>) at heif_convert.cc:329

Answer 1 · 2023-01-24T17:04:42.000Z

Might be fixed in 9737c3e, please retry.

Answer 2 · 2023-01-25T18:31:42.000Z

Thanks, fuzzer issue got closed:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50884#c4