Opened 2 years ago

Closed 2 years ago

#1537 closed defect (fixed)

Bad memory access in DecLib::checkLayerIdIncludedInCvss

Reported by: fbossen Owned by:
Priority: minor Milestone:
Component: VTM Version: VTM-15.0
Keywords: Cc: ksuehring, XiangLi, fbossen, jvet@…

Description

When processing the RAP_A_HHI_1 conformance bitstream, m_accessUnitPicInfo may be empty and referencing m_accessUnitPicInfo.begin()->m_nalUnitType is undefined.

DecoderApp  -b RAP_A_HHI_1.bit 
DecoderApp(95419,0x1207cd600) malloc: nano zone abandoned due to inability to preallocate reserved vm space.

VVCSoftware: VTM Decoder Version 16.0rc1 [Mac OS X][clang 13.0.0][64 bit] [SIMD=AVX2] 
POC   32 LId:  0 TId: 0 ( CRA, I-SLICE, QP 52 ) [DT  0.009] [L0] [L1] [MD5:443c27e4bbfba7ececf1e2d312e788e1,c4b2a47e15be58cd8f52093b6b6d4497,bb83c57bb40fb32a78bd1b62f25a5be3,(OK)] 
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
Note: received suffix SEI but current picture is skipped.
=================================================================
==95419==ERROR: AddressSanitizer: container-overflow on address 0x602000001870 at pc 0x00010f9a7c7b bp 0x7ff7b0b1f8b0 sp 0x7ff7b0b1f8a8
READ of size 4 at 0x602000001870 thread T0
    #0 0x10f9a7c7a in DecLib::checkLayerIdIncludedInCvss() DecLib.cpp:1076
    #1 0x10f3e690a in DecApp::decode() DecApp.cpp:556
    #2 0x10f41a9c6 in main decmain.cpp:91
    #3 0x1207524fd in start+0x1cd (dyld:x86_64+0x54fd)

0x602000001870 is located 0 bytes inside of 16-byte region [0x602000001870,0x602000001880)
allocated by thread T0 here:
    #0 0x1123338fd in wrap__Znwm+0x7d (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x508fd)
    #1 0x10f9dc113 in DecLib::xDecodeSlice(InputNALUnit&, int&, int) DecLib.cpp:2689
    #2 0x10f994e22 in DecLib::decode(InputNALUnit&, int&, int&, int) DecLib.cpp:3451
    #3 0x10f3e3096 in DecApp::decode() DecApp.cpp:251
    #4 0x10f41a9c6 in main decmain.cpp:91
    #5 0x1207524fd in start+0x1cd (dyld:x86_64+0x54fd)

HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow DecLib.cpp:1076 in DecLib::checkLayerIdIncludedInCvss()
Shadow bytes around the buggy address:
  0x1c04000002b0: fa fa 04 fa fa fa 00 fa fa fa 04 fa fa fa 04 fa
  0x1c04000002c0: fa fa fd fa fa fa 04 fa fa fa fd fa fa fa 04 fa
  0x1c04000002d0: fa fa fd fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x1c04000002e0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c04000002f0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x1c0400000300: fa fa fd fa fa fa fd fa fa fa fd fa fa fa[fc]fc
  0x1c0400000310: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa fd fa
  0x1c0400000320: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c0400000330: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c0400000340: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c0400000350: fa fa fd fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==95419==ABORTING
Abort trap: 6

Change history (2)

comment:2 Changed 2 years ago by ksuehring

  • Resolution set to fixed
  • Status changed from new to closed

Fixed as proposed.

Note: See TracTickets for help on using tickets.