Closed JieyongMa closed 1 year ago
I have the same using
heif-convert clusterfuzz-testcase-minimized-kimgio_heif_fuzzer-5139692086755328.heic output.png
Testfile: segmentation_fault.zip
#0 ff_hevc_put_unweighted_pred_8_sse (_dst=<optimized out>, dststride=0, src=0x7ffffffefe90, srcstride=8, width=8, height=8) at sse-motion.cc:132
#1 0x00007ffff73bc007 in acceleration_functions::put_unweighted_pred (this=this@entry=0x55555557d7f0, _dst=_dst@entry=0x0, dststride=dststride@entry=0, src=src@entry=0x7ffffffefe90, srcstride=srcstride@entry=8, width=width@entry=8, height=8,
bit_depth=8) at ../libde265/acceleration.h:260
#2 0x00007ffff73bb73c in generate_inter_prediction_samples (ctx=ctx@entry=0x55555557d740, shdr=shdr@entry=0x555555587b50, img=img@entry=0x5555555880e0, xC=xC@entry=0, yC=yC@entry=0, xB=xB@entry=0, yB=0, nCS=8, nPbW=8, nPbH=8, vi=0x7fffffff7f2c)
at motion.cc:611
#3 0x00007ffff73bbf48 in decode_prediction_unit (ctx=0x55555557d740, shdr=0x555555587b50, img=0x5555555880e0, motion=..., xC=xC@entry=0, yC=yC@entry=0, xB=0, yB=0, nCS=8, nPbW=8, nPbH=8, partIdx=0) at motion.cc:2155
#4 0x00007ffff73c9292 in read_coding_unit (tctx=tctx@entry=0x7fffffff82a0, x0=x0@entry=0, y0=y0@entry=0, log2CbSize=log2CbSize@entry=3, ctDepth=ctDepth@entry=3) at slice.cc:4314
#5 0x00007ffff73c9d8e in read_coding_quadtree (tctx=0x7fffffff82a0, x0=0, y0=0, log2CbSize=3, ctDepth=3) at slice.cc:4652
#6 0x00007ffff73c9cd0 in read_coding_quadtree (tctx=0x7fffffff82a0, x0=0, y0=0, log2CbSize=4, ctDepth=<optimized out>) at slice.cc:4635
#7 0x00007ffff73c9cd0 in read_coding_quadtree (tctx=0x7fffffff82a0, x0=0, y0=0, log2CbSize=5, ctDepth=<optimized out>) at slice.cc:4635
#8 0x00007ffff73c9cd0 in read_coding_quadtree (tctx=tctx@entry=0x7fffffff82a0, x0=x0@entry=0, y0=y0@entry=0, log2CbSize=6, ctDepth=ctDepth@entry=0) at slice.cc:4635
#9 0x00007ffff73c9e6d in read_coding_tree_unit (tctx=tctx@entry=0x7fffffff82a0) at slice.cc:2861
#10 0x00007ffff73ca13f in decode_substream (tctx=tctx@entry=0x7fffffff82a0, block_wpp=block_wpp@entry=false, first_independent_substream=first_independent_substream@entry=true) at slice.cc:4741
#11 0x00007ffff73ca531 in read_slice_segment_data (tctx=tctx@entry=0x7fffffff82a0) at slice.cc:5054
#12 0x00007ffff73a9bd4 in decoder_context::decode_slice_unit_sequential (this=this@entry=0x55555557d740, imgunit=imgunit@entry=0x555555599030, sliceunit=sliceunit@entry=0x5555555992e0) at decctx.cc:852
#13 0x00007ffff73aa088 in decoder_context::decode_slice_unit_parallel (this=this@entry=0x55555557d740, imgunit=imgunit@entry=0x555555599030, sliceunit=sliceunit@entry=0x5555555992e0) at decctx.cc:954
#14 0x00007ffff73aa16d in decoder_context::decode_some (this=this@entry=0x55555557d740, did_work=did_work@entry=0x7fffffffcc70) at decctx.cc:739
#15 0x00007ffff73ab358 in decoder_context::read_slice_NAL (this=this@entry=0x55555557d740, reader=..., nal=nal@entry=0x55555557f3c0, nal_hdr=...) at decctx.cc:697
#16 0x00007ffff73ab491 in decoder_context::decode_NAL (this=this@entry=0x55555557d740, nal=0x55555557f3c0) at decctx.cc:1239
#17 0x00007ffff73ab711 in decoder_context::decode (this=0x55555557d740, more=0x7fffffffcd94) at decctx.cc:1327
#18 0x00007ffff73a33da in de265_decode (de265ctx=<optimized out>, more=<optimized out>) at de265.cc:362
#19 0x00007ffff7f6e3bc in libde265_v1_decode_image (decoder_raw=0x55555557b900, out_img=0x7fffffffce50) at plugins/heif_decoder_libde265.cc:325
#20 0x00007ffff7f522ce in heif::HeifContext::decode_image_planar (this=0x5555555780f0, ID=<optimized out>, img=std::shared_ptr<heif::HeifPixelImage> (empty) = {...}, out_colorspace=out_colorspace@entry=heif_colorspace_RGB,
options=options@entry=0x55555557c010, alphaImage=false) at heif_context.cc:1190
#21 0x00007ffff7f5338b in heif::HeifContext::decode_image_user (this=<optimized out>, ID=<optimized out>, img=std::shared_ptr<heif::HeifPixelImage> (empty) = {...}, out_colorspace=heif_colorspace_RGB, out_chroma=heif_chroma_interleaved_RGBA,
options=0x55555557c010) at heif_context.cc:1095
#22 0x00007ffff7f465db in heif_decode_image (in_handle=0x55555557c2b0, out_img=0x7fffffffd118, colorspace=<optimized out>, chroma=<optimized out>, options=<optimized out>) at heif.cc:950
#23 0x00005555555597ae in main (argc=<optimized out>, argv=<optimized out>) at heif_convert.cc:372
The current batch of segfaults are all monochrome h265 stream. Motion-compensation for monochrome streams was not considered in the implementation of libde265 because there were no test-streams. (And I still don't have any valid streams.)
Description
NULL Pointer Dereference in function ff_hevc_put_unweighted_pred_8_sse at sse-motion.cc:132
Version
Steps to reproduce
POC
poc_segv04.bin
GDB
Impact
This vulnerability is capable of crashing software, causing a denial of service via a crafted input file.