Skip to content

heifsave: fix crash when passing an invalid bitdepth #4110

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 24, 2024
Merged

heifsave: fix crash when passing an invalid bitdepth #4110

merged 2 commits into from
Aug 24, 2024

Conversation

kleisauke
Copy link
Member

Reproducer:

$ vips copy test/test-suite/images/favicon.ico x.avif[bitdepth=1]
Segmentation fault (core dumped)

Targets the 8.15 branch.

jcupitt
jcupitt reviewed Aug 24, 2024
View reviewed changes
libvips/foreign/heifsave.c
@@ -426,10 +426,10 @@ vips_foreign_save_heif_pack(VipsForeignSaveHeif *heif,
}
}
else {
VipsObjectClass *class = VIPS_OBJECT_CLASS(heif);
VipsObjectClass *class = VIPS_OBJECT_GET_CLASS(heif);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦

@jcupitt jcupitt merged commit 26b2938 into libvips:8.15 Aug 24, 2024
6 checks passed
@kleisauke kleisauke deleted the 8.15-heifsave-fix-invalid-bitdepth-crash branch August 24, 2024 13:55
@kleisauke
Copy link
Member Author

Hmm, it looks like bitdepth=9 could also crash:

$ vips copy test/test-suite/images/favicon.ico x.avif[bitdepth=9]
Segmentation fault (core dumped)

But that seems to be happening somewhere in libaom.

Details 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==9==ERROR: AddressSanitizer: SEGV on unknown address 0x29900000ec50 (pc 0x55b42b87b79b bp 0x7fc35a9fe3d0 sp 0x7fc35a9fe370 T2)
==9==The signal is caused by a READ memory access.
SCARINESS: 20 (wild-addr-read)
    #0 0x55b42b87b79b in variance /src/aom/aom_dsp/variance.c:48:24
    #1 0x55b42b87b79b in aom_variance8x8_c /src/aom/aom_dsp/variance.c:248:1
    #2 0x55b42b34b03a in av1_get_perpixel_variance /src/aom/av1/encoder/encodeframe.c:195:28
    #3 0x55b42b34b03a in av1_get_perpixel_variance_facade /src/aom/av1/encoder/encodeframe.c:205:10
    #4 0x55b42b3fa7c3 in av1_set_mb_ssim_rdmult_scaling /src/aom/av1/encoder/encoder_utils.c:1366:18
    #5 0x55b42b3bf1aa in encode_frame_to_data_rate /src/aom/av1/encoder/encoder.c:3775:5
    #6 0x55b42b3bf1aa in av1_encode /src/aom/av1/encoder/encoder.c:4049:9
    #7 0x55b42bd00a7c in denoise_and_encode /src/aom/av1/encoder/encode_strategy.c:903:7
    #8 0x55b42bd00a7c in av1_encode_strategy /src/aom/av1/encoder/encode_strategy.c:1683:14
    #9 0x55b42b3c9900 in av1_get_compressed_data /src/aom/av1/encoder/encoder.c:4771:22
    #10 0x55b42b2d02fe in encoder_encode /src/aom/av1/av1_cx_iface.c:3389:20
    #11 0x55b42b228267 in aom_codec_encode /src/aom/aom/src/aom_encoder.c:191:11
    #12 0x55b42b1b4cd1 in aom_encode_image(void*, heif_image const*, heif_image_input_class) /src/libheif/libheif/plugins/encoder_aom.cc:1031:9
    #13 0x55b42b174e89 in ImageItem_AVIF::encode(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/avif.cc:580:27
    #14 0x55b42af823a3 in ImageItem::encode_to_bitstream_and_boxes(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/image_item.cc:187:52
    #15 0x55b42af885b8 in ImageItem::encode_to_item(HeifContext*, std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class) /src/libheif/libheif/codecs/image_item.cc:333:41
    #16 0x55b42b0e2548 in HeifContext::encode_image(std::__1::shared_ptr<HeifPixelImage> const&, heif_encoder*, heif_encoding_options const&, heif_image_input_class, std::__1::shared_ptr<ImageItem>&) /src/libheif/libheif/context.cc:1081:27
    #17 0x55b42af5ce54 in heif_context_encode_image /src/libheif/libheif/api/libheif/heif.cc:3258:25
    #18 0x55b42a2e9288 in vips_foreign_save_heif_write_page /src/libvips/build/../libvips/foreign/heifsave.c:321:11
    #19 0x55b42a2e9288 in vips_foreign_save_heif_write_block /src/libvips/build/../libvips/foreign/heifsave.c:476:8
    #20 0x55b42a1c6b49 in wbuffer_write /src/libvips/build/../libvips/iofuncs/sinkdisc.c:174:25
    #21 0x55b42a1c6b49 in wbuffer_write_thread /src/libvips/build/../libvips/iofuncs/sinkdisc.c:199:3
    #22 0x55b42a596533 in vips_threadset_work /src/libvips/build/../libvips/iofuncs/threadset.c:134:3
    #23 0x55b42a1ac350 in vips_thread_run /src/libvips/build/../libvips/iofuncs/thread.c:148:11
    #24 0x55b42a5c4540 in g_thread_proxy (/out/generic_buffer_with_args_fuzzer+0xbe3540)
    #25 0x55b42a16a628 in asan_thread_start(void*) /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:234:28
    #26 0x7fc35fb01608 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8608) (BuildId: 9a65bb469e45a1c6fbcffae5b82a2fd7a69eb479)
    #27 0x7fc35f52d352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: variance--aom_variance8x8_c--av1_get_perpixel_variance
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/aom/aom_dsp/variance.c:48:24 in variance
Thread T2 (libvips worker) created by T0 here:
    #0 0x55b42a15244f in pthread_create /src/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:245:3
    #1 0x55b42a5e1bea in g_system_thread_new (/out/generic_buffer_with_args_fuzzer+0xc00bea)

DEDUP_TOKEN: ___interceptor_pthread_create--g_system_thread_new
==9==ABORTING

This was referenced Aug 25, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jcupitt jcupitt jcupitt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kleisauke @jcupitt