5 use-of-uninitialized-memory bugs while testing fuzzing harnesses #464
Description
Summary
We found several use-of-uninitialized-memory issues while testing the encoder_heic_fuzzer fuzzing harness for ImageMagick. Upon further inspection, these issues seem to be related to an external dependency (libde265) rather than to ImageMagick itself. For this reason, we decided to report them directly here, instead of reporting them to ImageMagick. It is still possible that these errors are caused by an incorrect use of libde265; if you believe this is the case, we will report them to ImageMagick as well.
We found bugs in the following functions:
- use-of-uninitialized value in function
put_weighted_pred_avg_16_fallback()<libde265/fallback-motion.cc> - use-of-uninitialized value in function
put_weighted_bipred_16_fallback()<libde265/fallback-motion.cc> - use-of-uninitialized value in function
put_weighted_pred_16_fallback()<libde265/fallback-motion.cc> - conditional jump or move depends on uninitialized value in function
derive_collocated_motion_vectors()<libde265/motion.cc> - use-of-uninitialized value in function
add_residual_fallback<unsigned short>()<libde265/fallback-dct.h>
Steps to reproduce
In the following archive you will find a directory bugs containing the several inputs that triggered the aforementioned bugs and their respective Valgrind log, enumerated as the list above. Additionally, you will find at this link the compiled fuzzing harness we used to perform our tests (we had to share it from outside github as its size exceeds the size limit for this issue).
To reproduce the errors, a memory safety tool is required to expose the bug. Run the given binary with the testcase files inside Valgrind with a command like valgrind ./encoder_heic_fuzzer /path_to_testcases/input
The program has been tested on the standard Docker image provided on OSS-Fuzz using Ubuntu 20.04, providing AFL++ as fuzzing engine and build flag --sanitizer=none.
The libde265 hash commit used to perform the tests is 0a9999e, the latest at the time of testing.
The ImageMagick hash commit used to perform the tests is 6299383.
Environment
- OS: Linux
- Version/Distribution: Ubuntu 20.04
- Architecture: x86_64
We are aware that reporting many bugs at once may be inconvenient, and we remain available to assist you in the bug fixing process. While our knowledge of the codebase is very limited and thus prevents us from directly working on the fixes, we would be happy to provide any helpful information related to our experience with testing for memory-safety errors and to re-test the project as you work on the updates. In general, we’re happy to answer any questions on fuzz testing, sanitizers, and related matters that may help you make the project more secure.