Opened 3 years ago
Closed 3 years ago
#1537 closed defect (fixed)
Bad memory access in DecLib::checkLayerIdIncludedInCvss
Reported by: | fbossen | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | VTM | Version: | VTM-15.0 |
Keywords: | Cc: | ksuehring, XiangLi, fbossen, jvet@… |
Description
When processing the RAP_A_HHI_1 conformance bitstream, m_accessUnitPicInfo may be empty and referencing m_accessUnitPicInfo.begin()->m_nalUnitType is undefined.
DecoderApp -b RAP_A_HHI_1.bit DecoderApp(95419,0x1207cd600) malloc: nano zone abandoned due to inability to preallocate reserved vm space. VVCSoftware: VTM Decoder Version 16.0rc1 [Mac OS X][clang 13.0.0][64 bit] [SIMD=AVX2] POC 32 LId: 0 TId: 0 ( CRA, I-SLICE, QP 52 ) [DT 0.009] [L0] [L1] [MD5:443c27e4bbfba7ececf1e2d312e788e1,c4b2a47e15be58cd8f52093b6b6d4497,bb83c57bb40fb32a78bd1b62f25a5be3,(OK)] Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. Note: received suffix SEI but current picture is skipped. ================================================================= ==95419==ERROR: AddressSanitizer: container-overflow on address 0x602000001870 at pc 0x00010f9a7c7b bp 0x7ff7b0b1f8b0 sp 0x7ff7b0b1f8a8 READ of size 4 at 0x602000001870 thread T0 #0 0x10f9a7c7a in DecLib::checkLayerIdIncludedInCvss() DecLib.cpp:1076 #1 0x10f3e690a in DecApp::decode() DecApp.cpp:556 #2 0x10f41a9c6 in main decmain.cpp:91 #3 0x1207524fd in start+0x1cd (dyld:x86_64+0x54fd) 0x602000001870 is located 0 bytes inside of 16-byte region [0x602000001870,0x602000001880) allocated by thread T0 here: #0 0x1123338fd in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x508fd) #1 0x10f9dc113 in DecLib::xDecodeSlice(InputNALUnit&, int&, int) DecLib.cpp:2689 #2 0x10f994e22 in DecLib::decode(InputNALUnit&, int&, int&, int) DecLib.cpp:3451 #3 0x10f3e3096 in DecApp::decode() DecApp.cpp:251 #4 0x10f41a9c6 in main decmain.cpp:91 #5 0x1207524fd in start+0x1cd (dyld:x86_64+0x54fd) HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0. If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow. SUMMARY: AddressSanitizer: container-overflow DecLib.cpp:1076 in DecLib::checkLayerIdIncludedInCvss() Shadow bytes around the buggy address: 0x1c04000002b0: fa fa 04 fa fa fa 00 fa fa fa 04 fa fa fa 04 fa 0x1c04000002c0: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa 04 fa 0x1c04000002d0: fa fa fd fa fa fa 04 fa fa fa 04 fa fa fa 04 fa 0x1c04000002e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x1c04000002f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa =>0x1c0400000300: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fc]fc 0x1c0400000310: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa fd fa 0x1c0400000320: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x1c0400000330: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x1c0400000340: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x1c0400000350: fa fa fd fa fa fa 00 fa fa fa 00 fa fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==95419==ABORTING Abort trap: 6
Change history (2)
comment:1 Changed 3 years ago by ksuehring
comment:2 Changed 3 years ago by ksuehring
- Resolution set to fixed
- Status changed from new to closed
Fixed as proposed.
Note: See TracTickets for help on using tickets.
Proposed fix: https://vcgit.hhi.fraunhofer.de/jvet/VVCSoftware_VTM/-/merge_requests/2210