OSS-Fuzz status - Githubissues

strukturag / libheif

libheif is an HEIF and AVIF file format decoder and encoder.

Other

1.76k stars 302 forks source link

OSS-Fuzz status #624

Open jvoisin opened 2 years ago

jvoisin commented 2 years ago

There are currently a lot of open issues (reproducible crashes) in the OSS-Fuzz bugtracker regarding libheif.

What would be the best way to get them addressed?

novomesk commented 2 years ago

We have similar reports in kimageformats project: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=summary%3Akimageformats%3Akimgio_heif_fuzzer&can=2

farindk commented 2 years ago

I have fixed a couple of the more important issues.

The 'undefined shift' and 'overflow' operations come from the CABAC decoder. If libde265 would check this for each read input bit, this would heavily hurt performance. On the other hand, I see no real negative consequence of this. It's a tradeoff between performance and detecting invalid input.

pames commented 2 years ago

Thank you for fixing some issues!

I just stumbled across this issue and wanted to highlight that the rewards program mentioned on https://sos.dev/ includes fixes for security issues that have exceeded the 90 day disclosure timeline. Filtering the OSS-Fuzz search link on sos.dev to libheif directly shows 3 in-scope issues:

https://bugs.chromium.org/p/oss-fuzz/issues/list?q=Type%3DBug-Security%20label%3ADeadline-Exceeded%20-label%3AStability-UndefinedBehaviorSanitizer%20label%3Areproducible%20label%3AProj-libheif&can=2

The program reward amounts are here: https://sos.dev/#reward-amounts

in case that's an incentive for anyone interested in contributing to the project.

novomesk commented 2 years ago

I also noticed that some of the issues were solved. However, few new cases appeared afterwards. For example ASSERT: scaling_list_pred_matrix_id_delta==3 on this line: https://github.com/strukturag/libde265/blob/e587ef6e8000662b91c35ccb866c2374d3a40e27/libde265/sps.cc#L931

#4 0x6c7a94 in read_scaling_list(bitreader*, seq_parameter_set const*, scaling_list_data*, bool) libde265/libde265/sps.cc:931:28
#5 0x6c5a08 in seq_parameter_set::read(error_queue*, bitreader*) libde265/libde265/sps.cc:350:16
#6 0x659c06 in decoder_context::read_sps_NAL(bitreader&) libde265/libde265/decctx.cc:555:21
#7 0x663fc6 in decoder_context::decode_NAL(NAL_unit*) libde265/libde265/decctx.cc:1248:13
#8 0x664688 in decoder_context::decode(int*) libde265/libde265/decctx.cc:1327:16