You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of dcbfa77, ./heif-convert $FILE /tmp/test.png may report a heap-use-after-free error when libheif is compiled with AddressSanitizer.
==16294==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030000004a0 at pc 0x7ffff78fe3f6 bp 0x7fffffff89a0 sp 0x7fffffff8998
WRITE of size 8 at 0x6030000004a0 thread T0
#0 0x7ffff78fe3f5 in std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr_base.h:1122:69
#1 0x7ffff78fb156 in std::shared_ptr<heif::HeifContext::Image>::operator=(std::shared_ptr<heif::HeifContext::Image> const&) /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr.h:296:65
#2 0x7ffff792a808 in heif::HeifContext::Image::set_alpha_channel(std::shared_ptr<heif::HeifContext::Image>) /home/hongxu/FOT/libheif/libheif-asan/libheif/./heif_context.h:117:75
#3 0x7ffff790cba1 in heif::HeifContext::interpret_heif_file() /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:584:34
#4 0x7ffff7910164 in heif::HeifContext::read_from_file(char const*) /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:351:10
#5 0x7ffff78e3e46 in heif_context_read_from_file /home/hongxu/FOT/libheif/libheif-asan/libheif/heif.cc:184:29
#6 0x4f84bd in main /home/hongxu/FOT/libheif/libheif-asan/examples/heif_convert.cc:164:9
#7 0x7ffff5dd5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#8 0x41cf49 in _start (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x41cf49)
0x6030000004a0 is located 16 bytes inside of 27-byte region [0x603000000490,0x6030000004ab)
freed by thread T0 here:
#0 0x4f4c12 in operator delete(void*) (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x4f4c12)
#1 0x7ffff790c82e in heif::HeifContext::interpret_heif_file() /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:574:15
#2 0x7ffff7910164 in heif::HeifContext::read_from_file(char const*) /home/hongxu/FOT/libheif/libheif-asan/libheif/heif_context.cc:351:10
#3 0x7ffff78e3e46 in heif_context_read_from_file /home/hongxu/FOT/libheif/libheif-asan/libheif/heif.cc:184:29
#4 0x4f84bd in main /home/hongxu/FOT/libheif/libheif-asan/examples/heif_convert.cc:164:9
#5 0x7ffff5dd5b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 here:
#0 0x4f3fd2 in operator new(unsigned long) (/home/hongxu/FOT/libheif/libheif-asan/install/bin/heif-convert+0x4f3fd2)
#1 0x7ffff6c8e26c in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x12726c)
#2 0x60600000031f (<unknown module>)
LLVMSymbolizer: error reading file: No such file or directory
#3 0x7fffffff929f ([stack]+0x1d29f)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0/../../../../include/c++/7.3.0/bits/shared_ptr_base.h:1122:69 in std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2>::operator=(std::__shared_ptr<heif::HeifContext::Image, (__gnu_cxx::_Lock_policy)2> const&)
Shadow bytes around the buggy address:
0x0c067fff8040: 00 fa fa fa fd fd fd fd fa fa 00 00 00 01 fa fa
0x0c067fff8050: 00 00 00 fa fa fa fd fd fd fd fa fa 00 00 00 fa
0x0c067fff8060: fa fa 00 00 00 fa fa fa 00 00 00 07 fa fa fd fd
0x0c067fff8070: fd fd fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c067fff8080: fd fd fd fd fa fa 00 00 00 00 fa fa fd fd fd fa
=>0x0c067fff8090: fa fa fd fd[fd]fd fa fa fd fd fd fd fa fa fa fa
0x0c067fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==16294==ABORTING
As of dcbfa77,
./heif-convert $FILE /tmp/test.png
may report a heap-use-after-free error when libheif is compiled with AddressSanitizer.zipped POCs:
libheif.zip
The text was updated successfully, but these errors were encountered: