You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We found several use-of-uninitialized-memory issues while testing the encoder_heic_fuzzer fuzzing harness for ImageMagick. Upon further inspection, these issues seem to be related to an external dependency (libde265) rather than to ImageMagick itself. For this reason, we decided to report them directly here, instead of reporting them to ImageMagick. It is still possible that these errors are caused by an incorrect use of libde265; if you believe this is the case, we will report them to ImageMagick as well.
conditional jump or move depends on uninitialized value in function derive_collocated_motion_vectors()<libde265/motion.cc>
use-of-uninitialized value in function add_residual_fallback<unsigned short>()<libde265/fallback-dct.h>
Steps to reproduce
In the following archive you will find a directory bugs containing the several inputs that triggered the aforementioned bugs and their respective Valgrind log, enumerated as the list above. Additionally, you will find at this link the compiled fuzzing harness we used to perform our tests (we had to share it from outside github as its size exceeds the size limit for this issue).
To reproduce the errors, a memory safety tool is required to expose the bug. Run the given binary with the testcase files inside Valgrind with a command like valgrind ./encoder_heic_fuzzer /path_to_testcases/input
The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=none.
The libde265 hash commit used to perform the tests is 0a9999e, the latest at the time of testing.
The ImageMagick hash commit used to perform the tests is 6299383.
Environment
OS: Linux
Version/Distribution: Ubuntu 20.04
Architecture: x86_64
We are aware that reporting many bugs at once may be inconvenient, and we remain available to assist you in the bug fixing process. While our knowledge of the codebase is very limited and thus prevents us from directly working on the fixes, we would be happy to provide any helpful information related to our experience with testing for memory-safety errors and to re-test the project as you work on the updates. In general, we’re happy to answer any questions on fuzz testing, sanitizers, and related matters that may help you make the project more secure.
The text was updated successfully, but these errors were encountered:
Summary
We found several use-of-uninitialized-memory issues while testing the
encoder_heic_fuzzerfuzzing harness for ImageMagick. Upon further inspection, these issues seem to be related to an external dependency (libde265) rather than to ImageMagick itself. For this reason, we decided to report them directly here, instead of reporting them to ImageMagick. It is still possible that these errors are caused by an incorrect use of libde265; if you believe this is the case, we will report them to ImageMagick as well.We found bugs in the following functions:
put_weighted_pred_avg_16_fallback()<libde265/fallback-motion.cc>put_weighted_bipred_16_fallback()<libde265/fallback-motion.cc>put_weighted_pred_16_fallback()<libde265/fallback-motion.cc>derive_collocated_motion_vectors()<libde265/motion.cc>add_residual_fallback<unsigned short>()<libde265/fallback-dct.h>Steps to reproduce
In the following archive you will find a directory
bugscontaining the several inputs that triggered the aforementioned bugs and their respective Valgrind log, enumerated as the list above. Additionally, you will find at this link the compiled fuzzing harness we used to perform our tests (we had to share it from outside github as its size exceeds the size limit for this issue).To reproduce the errors, a memory safety tool is required to expose the bug. Run the given binary with the testcase files inside Valgrind with a command like
valgrind ./encoder_heic_fuzzer /path_to_testcases/inputThe program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag
--sanitizer=none.The libde265 hash commit used to perform the tests is
0a9999e, the latest at the time of testing.The ImageMagick hash commit used to perform the tests is
6299383.Environment
We are aware that reporting many bugs at once may be inconvenient, and we remain available to assist you in the bug fixing process. While our knowledge of the codebase is very limited and thus prevents us from directly working on the fixes, we would be happy to provide any helpful information related to our experience with testing for memory-safety errors and to re-test the project as you work on the updates. In general, we’re happy to answer any questions on fuzz testing, sanitizers, and related matters that may help you make the project more secure.
The text was updated successfully, but these errors were encountered: