As of dcbfa77, ./heif-convert $FILE /tmp/test.png may report a heap-use-after-free error when libheif is compiled with AddressSanitizer.
==16294==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000004a0 at pc 0x7ffff78fe3f6 bp 0x7fffffff89a0 sp 0x7fffffff8998
WRITE of size 8 at 0x6030000004a0 thread T0
#0 0x7ffff78fe3f5 in std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr_base.h:1122:69
#1 0x7ffff78fb156 in std::shared_ptr<heif::HeifContext::Image>::operator=(std::shared_ptr<heif::HeifContext::Image> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr.h:296:65
#2 0x7ffff792a808 in heif::HeifContext::Image::set_alpha_channel(std::shared_ptr<heif::HeifContext::Image>) /home/hongxu/FOT/libheif/libheif-asan/libheif/./heif_context.h:117:75
#3 0x7ffff790cba1 in heif::HeifContext::interpret_heif_file() /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:584:34
#4 0x7ffff7910164 in heif::HeifContext::read_from_file(char const*) /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:351:10
#5 0x7ffff78e3e46 in heif_context_read_from_file /home/hongxu/FOT/libheif/libheif-asan/libheif/heif.cc:184:29
#6 0x4f84bd in main /home/hongxu/FOT/libheif/libheif-asan/examples/heif_convert.cc:164:9
#7 0x7ffff5dd5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x41cf49 in _start (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x41cf49)
0x6030000004a0 is located 16 bytes inside of 27-byte region [0x603000000490,0x6030000004ab)
freed by thread T0 here:
#0 0x4f4c12 in operator delete(void*) (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x4f4c12)
#1 0x7ffff790c82e in heif::HeifContext::interpret_heif_file() /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:574:15
#2 0x7ffff7910164 in heif::HeifContext::read_from_file(char const*) /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:351:10
#3 0x7ffff78e3e46 in heif_context_read_from_file /home/hongxu/FOT/libheif/libheif-asan/libheif/heif.cc:184:29
#4 0x4f84bd in main /home/hongxu/FOT/libheif/libheif-asan/examples/heif_convert.cc:164:9
#5 0x7ffff5dd5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x4f3fd2 in operator new(unsigned long) (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x4f3fd2)
#1 0x7ffff6c8e26c in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x12726c)
#2 0x60600000031f (<unknown module>)
LLVMSymbolizer: error reading file: No such file or directory
#3 0x7fffffff929f ([stack]+0x1d29f)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr_base.h:1122:69 in std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2> const&)
Shadow bytes around the buggy address:
0x0c067fff8040: 00 fa fa fa fd fd fd fd fa fa 00 00 00 01 fa fa
0x0c067fff8050: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa
0x0c067fff8060: fa fa 00 00 00 fa fa fa 00 00 00 07 fa fa fd fd
0x0c067fff8070: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8080: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fa
=>0x0c067fff8090: fa fa fd fd[fd]fd fa fa fd fd fd fd fa fa fa fa
0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==16294==ABORTING
As of dcbfa77,
./heif-convert $FILE /tmp/test.pngmay report a heap-use-after-free error when libheif is compiled with AddressSanitizer.zipped POCs:
libheif.zip
The text was updated successfully, but these errors were encountered: