decoder_openh264.cc:272: heif_error openh264_decode_next_image2(void *, heif_image **, uintptr_t *, const heif_security_limits *): Assertion `size > 0' failed.

[bobfriesenhahn]

GraphicsMagick oss-fuzz issue 480200610 is about a reachable assertion, which appears to be in libheif.

Strangely, there are two different stack traces:

/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_graphicsmagick_364babd4f1406e0e2b68256230a27a3911dd0072/revisions/coder_HEIF_fuzzer: Running 1 inputs 100 time(s) each.
Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c482a50fb01573f4462219b35fb284b6511a6227
coder_HEIF_fuzzer: /src/libheif/libheif/plugins/decoder_openh264.cc:272: heif_error openh264_decode_next_image2(void *, heif_image **, uintptr_t *, const heif_security_limits *): Assertion `size > 0' failed.
coder_HEIF_fuzzer: abort due to signal 6 (SIGABRT) "Abort"...

and (previously)

coder_HEIF_fuzzer: /src/libheif/libheif/plugins/decoder_openh264.cc:272: heif_error openh264_decode_next_image2(void *, heif_image **, uintptr_t *, const heif_security_limits *): Assertion `size > 0' failed.
AddressSanitizer:DEADLYSIGNAL

==1015==ERROR: AddressSanitizer: ABRT on unknown address 0x0539000003f7 (pc 0x7f254db5800b bp 0x7f254dccd588 sp 0x7ffc32057290 T0)
#0 0x7f254db5800b in raise /build/glibc-B3wQXB/glibc-2.31/sysdeps/unix/sysv/linux/raise.c:51:1
#1 0x7f254db37858 in abort /build/glibc-B3wQXB/glibc-2.31/stdlib/abort.c:79:7
#2 0x7f254db37728 in __assert_fail_base /build/glibc-B3wQXB/glibc-2.31/assert/assert.c:94:3
#3 0x7f254db48fd5 in __assert_fail /build/glibc-B3wQXB/glibc-2.31/assert/assert.c:103:3
#4 0x5565ee67338b in openh264_decode_next_image2(void*, heif_image**, unsigned long*, heif_security_limits const*) libheif/libheif/plugins/decoder_openh264.cc:272:7
#5 0x5565ee5b7323 in Decoder::get_decoded_frame(heif_decoding_options const&, unsigned long*, heif_security_limits const*) libheif/libheif/codecs/decoder.cc:401:11
#6 0x5565ee5b80fb in Decoder::decode_single_frame_from_compressed_data(heif_decoding_options const&, heif_security_limits const*) libheif/libheif/codecs/decoder.cc:452:17
#7 0x5565ee2d758f in ImageItem::decode_compressed_image(heif_decoding_options const&, bool, unsigned int, unsigned int, std::__1::set<unsigned int, std::__1::less, std::__1::allocator>) const libheif/libheif/image-items/image_item.cc:955:19
#8 0x5565ee2d0b26 in ImageItem::decode_image(heif_decoding_options const&, bool, unsigned int, unsigned int, std::__1::set<unsigned int, std::__1::less, std::__1::allocator>) const libheif/libheif/image-items/image_item.cc:708:60
#9 0x5565ee50ff7b in HeifContext::decode_image(unsigned int, heif_colorspace, heif_chroma, heif_decoding_options const&, bool, unsigned int, unsigned int, std::__1::set<unsigned int, std::__1::less, std::__1::allocator>) const libheif/libheif/context.cc:1300:34
#10 0x5565ee2acc7c in heif_decode_image libheif/libheif/api/libheif/heif_decoding.cc:235:81
#11 0x5565edfd66ee in ReadHEIFImageFrame /src/graphicsmagick/coders/heif.c:1136:17
#12 0x5565edfd32d9 in ReadHEIFImage /src/graphicsmagick/coders/heif.c:1957:10
#13 0x5565edde3a26 in ReadImage /src/graphicsmagick/magick/constitute.c:1682:13
#14 0x5565edd94e54 in BlobToImage /src/graphicsmagick/magick/blob.c:785:13
#15 0x5565edd224f6 in Magick::Image::read(Magick::Blob const&) /src/graphicsmagick/Magick++/lib/Image.cpp:1592:5
#16 0x5565edd16432 in LLVMFuzzerTestOneInput /src/graphicsmagick/fuzzing/coder_fuzzer.cc:24:11
#17 0x5565edbb37fd in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:619:13
#18 0x5565edb9e572 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:329:6
#19 0x5565edba4440 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:865:9
#20 0x5565edbcff72 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#21 0x7f254db39082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/libc-start.c:308:16
#22 0x5565edb9765d in _start

I am attaching the two test cases which were provided:

clusterfuzz-testcase-minimized-coder_HEIF_fuzzer-5635644673294336.mp4.gz

clusterfuzz-testcase-coder_HEIF_fuzzer-5635644673294336.mp4.gz

[bobfriesenhahn]

Now there is an oss-fuzz 482161130 which seems to be due to the same issue.

This additional test-case was provided:

clusterfuzz-testcase-minimized-coder_HEIF_fuzzer-4971874965848064.mp4.gz

[farindk]

Should be fixed by above commit.

[bobfriesenhahn]

Oss-fuzz has detected that this issue is fixed.