SEGV in uncompressed_image_type_is_supported

[fdu-sec]

Description

SEGV in uncompressed_image_type_is_supported

Version

commit ID c98a3fae1ac63cc6052e40b26733396a8598542d

➜  libheif git:(master) ✗ ./build_asan/examples/heif-info -v
1.17.6
libheif: 1.17.6
plugin path: ./libheif/build_asan/lib/libheif

Replay

git clone https://github.com/strukturag/libheif.git
cd libheif
mkdir build_asan
cd build_asan
cmake .. -DWITH_UNCOMPRESSED_CODEC=ON  -DENABLE_MULTITHREADING_SUPPORT=0 -DCMAKE_INSTALL_PREFIX=Debug -DBUILD_SHARED_LIBS=on -DCMAKE_INSTALL_PREFIX=`realpath .` 
make -j
./examples/heif-convert poc test.png

ASAN

➜  libheif git:(main) ✗ ./build_asan/examples/heif-info ./poc
MIME type: image/heif
main brand: mif1
compatible brands: mif1, heif

image: 0x10 (id=1), primary
  colorspace: YCbCr, unknown
  bit depth: -1
  color profile: no
  alpha channel: no
  depth channel: no
metadata:
  none
transformations:
  none
region annotations:
  none
properties:
ASAN:DEADLYSIGNAL
=================================================================
==1689276==ERROR: AddressSanitizer: SEGV on unknown address 0x60e00027fe08 (pc 0x7ffff70fe09a bp 0x7fffffff9d60 sp 0x7fffffff8820 T0)
==1689276==The signal is caused by a READ memory access.
    #0 0x7ffff70fe099 in uncompressed_image_type_is_supported libheif/libheif/uncompressed_image.cc:367
    #1 0x7ffff7101fda in UncompressedImageCodec::decode_uncompressed_image(std::shared_ptr<HeifFile const> const&, unsigned int, std::shared_ptr<HeifPixelImage>&, unsigned int, unsigned int, std::vector<unsigned char, std::allocator<unsigned char> > const&) libheif/libheif/uncompressed_image.cc:672
    #2 0x7ffff6fc0598 in HeifContext::decode_image_planar(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_decoding_options const&, bool) const libheif/libheif/context.cc:1452
    #3 0x7ffff6fbd53c in HeifContext::decode_image_user(unsigned int, std::shared_ptr<HeifPixelImage>&, heif_colorspace, heif_chroma, heif_decoding_options const&) const libheif/libheif/context.cc:1248
    #4 0x7ffff6f80489 in heif_decode_image libheif/libheif/heif.cc:1042
    #5 0x555555563960 in main libheif/examples/heif_info.cc:645
    #6 0x7ffff6ab6082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #7 0x55555555d94d in _start (libheif/build_asan/examples/heif-info+0x994d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV libheif/libheif/uncompressed_image.cc:367 in uncompressed_image_type_is_supported
==1689276==ABORTING

PoC

poc

Environment

➜  ~ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.6 LTS
Release:	20.04
Codename:	focal

➜  ~ gcc --version
gcc (Ubuntu 7.5.0-6ubuntu2) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

[bradh]

Can you reproduce against the develop-v1.18.0 branch? Most of this code has been rewritten, and is awaiting merge / release.

[fdu-sec]

I can not reproduce it in develop-v1.18.0 . may be it fix in the develop version.

[bradh]

Thank you for the update.