Segmentation fault in apply_sao_internal<unsigned short> when decoding image multiple times

Question

Segmentation fault in apply_sao_internal<unsigned short> when decoding image multiple times

Closed this issue 2 years ago · 2 comments

Hello,

I have a weird case.

This file do not crash heif-convert and it also don't crash my code when I attempt to decode it only once:
Segmentation_fault_apply_sao_internal.zip

However when I try to run my code in a loop (decoding the same input again and again), I get a crash sooner or later.
When I run my program natively, it crashes in during the 2nd iteration. When I run the same binary with valgrind, only 17th iteration crashed.

#0  0x00007ffff635b07d in apply_sao_internal<unsigned short> (img=<optimized out>, xCtb=<optimized out>, yCtb=<optimized out>, shdr=<optimized out>, cIdx=2, nSW=<optimized out>, nSH=<optimized out>, in_img=0x5555555bdf00, in_stride=144, 
    out_img=0x5555555e5d20, out_stride=144) at sao.cc:252
#1  0x00007ffff635bdfb in apply_sao<unsigned char> (img=<optimized out>, xCtb=xCtb@entry=4, yCtb=<optimized out>, shdr=shdr@entry=0x5555555f8280, cIdx=cIdx@entry=2, nSW=nSW@entry=32, nSH=32, 
    in_img=0x5555555bdf00 "\213\003\260\003\352\003\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\006\004\377\003\366\003\366\003\366\003\366\003\366\003\366\003\355\003\346\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003a\003a\003a\003W\003O\003C\003A\003=\003\070\003\062\003+\003$\003\035\003\026\003\017\003\t\003\004\003", in_stride=144, 
    out_img=0x5555555e5d20 "\213\003\260\003\352\003\v\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\017\004\v\004\006\004\377\003\367\003\366\003\366\003\366\003\366\003\366\003\355\003\346\003\336\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003\335\003b\003a\003a\003W\003O\003C\003A\003=\003\070\003\062\003+\003$\003\035\003\026\003\017\003\t\003\004\003", out_stride=144) at sao.cc:270
#2  0x00007ffff635a057 in thread_task_sao::work (this=0x555555599230) at sao.cc:457
#3  0x00007ffff6369255 in worker_thread (pool_ptr=0x555555595bf8) at threads.cc:233
#4  0x00007ffff6eaf37a in start_thread () from /lib64/libc.so.6
#5  0x00007ffff6f3022c in clone3 () from /lib64/libc.so.6

==12569== Conditional jump or move depends on uninitialised value(s)
==12569==    at 0x904304D: void edge_filtering_luma_internal<unsigned char>(de265_image*, bool, int, int, int, int) (deblock.cc:622)
==12569==    by 0x9040E63: edge_filtering_luma(de265_image*, bool, int, int, int, int) (deblock.cc:714)
==12569==    by 0x90410FD: thread_task_deblock_CTBRow::work() (deblock.cc:980)
==12569==    by 0x9070254: worker_thread(void*) (threads.cc:233)
==12569==    by 0x5788379: start_thread (in /lib64/libc.so.6)
==12569==    by 0x580833F: clone (in /lib64/libc.so.6)
==12569== 
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 1
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 2
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 3
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 4
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 5
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 6
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 7
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 8
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 9
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 10
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 11
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 12
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 13
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 14
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 15
libheif error: Decoder plugin generated an error: Unspecified
Failed to read image!
Iteration 16
==12569== Conditional jump or move depends on uninitialised value(s)
==12569==    at 0x906206E: void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int) (sao.cc:251)
==12569==    by 0x9062DFA: void apply_sao<unsigned char>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned char const*, int, unsigned char*, int) (sao.cc:270)
==12569==    by 0x9061015: thread_task_sao::work() (sao.cc:453)
==12569==    by 0x9070254: worker_thread(void*) (threads.cc:233)
==12569==    by 0x5788379: start_thread (in /lib64/libc.so.6)
==12569==    by 0x580833F: clone (in /lib64/libc.so.6)
==12569== 
==12569== Invalid read of size 1
==12569==    at 0x906207D: void apply_sao_internal<unsigned short>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned short const*, int, unsigned short*, int) (sao.cc:252)
==12569==    by 0x9062DFA: void apply_sao<unsigned char>(de265_image*, int, int, slice_segment_header const*, int, int, int, unsigned char const*, int, unsigned char*, int) (sao.cc:270)
==12569==    by 0x9061015: thread_task_sao::work() (sao.cc:453)
==12569==    by 0x9070254: worker_thread(void*) (threads.cc:233)
==12569==    by 0x5788379: start_thread (in /lib64/libc.so.6)
==12569==    by 0x580833F: clone (in /lib64/libc.so.6)
==12569==  Address 0x124d30cc is not stack'd, malloc'd or (recently) free'd

Answer 1 · 2023-01-24T16:23:07.000Z

Please try again. I fixed an issue in the SAO function in ad29169 and 677342a. This might be related.

Answer 2 · 2023-01-25T17:40:42.000Z

Thanks, fuzzer issue was closed automatically:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50858#c4