Bug#992495: marked as done (segfault in av1_cyclic_refresh_free())

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 18 Mar 2022 13:47:04 -0400
with message-id <c53e750b502b1f28cbf5bd18367fe80022de067d.camel@debian.org>
and subject line Re: segfault in av1_cyclic_refresh_free()
has caused the Debian Bug report #992495,
regarding segfault in av1_cyclic_refresh_free()
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
992495: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992495
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: segfault in av1_cyclic_refresh_free()
• From: Philipp Marek <philipp@marek.priv.at>
• Date: Thu, 19 Aug 2021 13:04:23 +0200
• Message-id: <162937106321.676927.14696497563757727886.reportbug@rs232.brz.gv.at>

Package: libaom0
Version: 1.0.0.errata1-3
Severity: normal
X-Debbugs-Cc: philipp@marek.priv.at

When using libaom0 (via ImageMagick's "convert" or gimp), it crashes 
when writing a avif:


$ gdb ... --args convert 20210812_215114.jpg 20210812_215114.avif
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffd45b0700 (LWP 676100)]
[New Thread 0x7fffd3daf700 (LWP 676104)]
[New Thread 0x7fffd35ae700 (LWP 676105)]
[New Thread 0x7fffd2dad700 (LWP 676106)]
[New Thread 0x7fffd25ac700 (LWP 676107)]
[New Thread 0x7fffd1dab700 (LWP 676108)]
[New Thread 0x7fffd15aa700 (LWP 676109)]
[Thread 0x7fffd15aa700 (LWP 676109) exited]
[Thread 0x7fffd25ac700 (LWP 676107) exited]
[Thread 0x7fffd35ae700 (LWP 676105) exited]
[Thread 0x7fffd2dad700 (LWP 676106) exited]
[Thread 0x7fffd3daf700 (LWP 676104) exited]
[Thread 0x7fffd1dab700 (LWP 676108) exited]

Thread 1 "convert" received signal SIGSEGV, Segmentation fault.
0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
83      ./av1/encoder/aq_cyclicrefresh.c: Datei oder Verzeichnis nicht gefunden.
#0  0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
#1  0x00007ffff448c00d in dealloc_compressor_data (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:487
#2  av1_remove_compressor (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:2906
#3  0x00007ffff448e079 in av1_create_compressor (oxcf=oxcf@entry=0x5555555ef158, pool=0x5555555f86a0) at ./av1/encoder/encoder.c:2416
#4  0x00007ffff445130b in encoder_init (data=<optimized out>, ctx=<optimized out>) at ./av1/av1_cx_iface.c:1130
#5  encoder_init (ctx=<optimized out>, data=<optimized out>) at ./av1/av1_cx_iface.c:1094
#6  0x00007ffff42bede6 in aom_codec_enc_init_ver (ctx=0x7fffffff9b00, iface=<optimized out>, cfg=<optimized out>, flags=<optimized out>, ver=<optimized out>) at ./aom/src/aom_encoder.c:58
#7  0x00007ffff47b4673 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
#8  0x00007ffff4799d48 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
#9  0x00007ffff479a70d in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
#10 0x00007ffff478c5d9 in heif_context_encode_image () from /lib/x86_64-linux-gnu/libheif.so.1
#11 0x00007ffff7fb9ae3 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.9.11/modules-Q16/coders/heic.so
#12 0x00007ffff7d45644 in WriteImage () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
#13 0x00007ffff7d46069 in WriteImages () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
#14 0x00007ffff7bd7ca4 in ConvertImageCommand () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
#15 0x00007ffff7c42f80 in MagickCommandGenesis () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
#16 0x00005555555550fa in ?? ()
#17 0x00007ffff79fdd0a in __libc_start_main (main=0x5555555550b0, argc=3, argv=0x7fffffffdf38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf28) at ../csu/libc-start.c:308
#18 0x000055555555515a in ?? ()
#0  0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
No locals.
#1  0x00007ffff448c00d in dealloc_compressor_data (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:487
        cm = 0x7fffe8782130
        num_planes = 3
#2  av1_remove_compressor (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:2906
        cm = 0x7fffe8782130
        i = <optimized out>
        t = <optimized out>
        num_planes = 3
#3  0x00007ffff448e079 in av1_create_compressor (oxcf=oxcf@entry=0x5555555ef158, pool=0x5555555f86a0) at ./av1/encoder/encoder.c:2416
        i = <optimized out>
        cpi = 0x7fffe8434020
        cm = 0x7fffe8782130
#4  0x00007ffff445130b in encoder_init (data=<optimized out>, ctx=<optimized out>) at ./av1/av1_cx_iface.c:1130
        priv = <optimized out>
        res = <optimized out>
#5  encoder_init (ctx=<optimized out>, data=<optimized out>) at ./av1/av1_cx_iface.c:1094
        res = AOM_CODEC_OK
        priv = <optimized out>
#6  0x00007ffff42bede6 in aom_codec_enc_init_ver (ctx=0x7fffffff9b00, iface=<optimized out>, cfg=<optimized out>, flags=<optimized out>, ver=<optimized out>) at ./aom/src/aom_encoder.c:58
        res = <optimized out>
#7  0x00007ffff47b4673 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#8  0x00007ffff4799d48 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#9  0x00007ffff479a70d in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#10 0x00007ffff478c5d9 in heif_context_encode_image () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#11 0x00007ffff7fb9ae3 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.9.11/modules-Q16/coders/heic.so
No symbol table info available.
#12 0x00007ffff7d45644 in WriteImage () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#13 0x00007ffff7d46069 in WriteImages () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#14 0x00007ffff7bd7ca4 in ConvertImageCommand () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#15 0x00007ffff7c42f80 in MagickCommandGenesis () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#16 0x00005555555550fa in ?? ()
No symbol table info available.
#17 0x00007ffff79fdd0a in __libc_start_main (main=0x5555555550b0, argc=3, argv=0x7fffffffdf38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf28) at ../csu/libc-start.c:308
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 9069691304734393222, 93824992235824, 0, 0, 0, 2921518278079972230, 2921500960824132486}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7fffffffdf38}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}}
        not_first_call = <optimized out>
#18 0x000055555555515a in ?? ()
No symbol table info available.

Thread 2 (Thread 0x7fffd45b0700 (LWP 676100) "convert"):
#0  0x00007ffff6f875ee in ?? () from /lib/x86_64-linux-gnu/libgomp.so.1
No symbol table info available.
#1  0x00007ffff6f84dc0 in ?? () from /lib/x86_64-linux-gnu/libgomp.so.1
No symbol table info available.
#2  0x00007ffff6fb3ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
        ret = <optimized out>
        pd = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736756123392, -2921518279167802490, 140737488329902, 140737488329903, 140736756121344, 8396800, 2921435583855494022, 2921502918206980998}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#3  0x00007ffff7ad4def in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.

Thread 1 (Thread 0x7ffff4ba9c40 (LWP 676091) "convert"):
#0  0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
No locals.
#1  0x00007ffff448c00d in dealloc_compressor_data (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:487
        cm = 0x7fffe8782130
        num_planes = 3
#2  av1_remove_compressor (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:2906
        cm = 0x7fffe8782130
        i = <optimized out>
        t = <optimized out>
        num_planes = 3
#3  0x00007ffff448e079 in av1_create_compressor (oxcf=oxcf@entry=0x5555555ef158, pool=0x5555555f86a0) at ./av1/encoder/encoder.c:2416
        i = <optimized out>
        cpi = 0x7fffe8434020
        cm = 0x7fffe8782130
#4  0x00007ffff445130b in encoder_init (data=<optimized out>, ctx=<optimized out>) at ./av1/av1_cx_iface.c:1130
        priv = <optimized out>
        res = <optimized out>
#5  encoder_init (ctx=<optimized out>, data=<optimized out>) at ./av1/av1_cx_iface.c:1094
        res = AOM_CODEC_OK
        priv = <optimized out>
#6  0x00007ffff42bede6 in aom_codec_enc_init_ver (ctx=0x7fffffff9b00, iface=<optimized out>, cfg=<optimized out>, flags=<optimized out>, ver=<optimized out>) at ./aom/src/aom_encoder.c:58
        res = <optimized out>
#7  0x00007ffff47b4673 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#8  0x00007ffff4799d48 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#9  0x00007ffff479a70d in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#10 0x00007ffff478c5d9 in heif_context_encode_image () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#11 0x00007ffff7fb9ae3 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.9.11/modules-Q16/coders/heic.so
No symbol table info available.
#12 0x00007ffff7d45644 in WriteImage () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#13 0x00007ffff7d46069 in WriteImages () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#14 0x00007ffff7bd7ca4 in ConvertImageCommand () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#15 0x00007ffff7c42f80 in MagickCommandGenesis () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#16 0x00005555555550fa in ?? ()
No symbol table info available.
#17 0x00007ffff79fdd0a in __libc_start_main (main=0x5555555550b0, argc=3, argv=0x7fffffffdf38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf28) at ../csu/libc-start.c:308
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 9069691304734393222, 93824992235824, 0, 0, 0, 2921518278079972230, 2921500960824132486}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7fffffffdf38}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}}
        not_first_call = <optimized out>
#18 0x000055555555515a in ?? ()
No symbol table info available.



-- System Information:
Debian Release: 11.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE=de_AT:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libaom0 depends on:
ii  libc6  2.31-13

libaom0 recommends no packages.

libaom0 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: 992495-done@bugs.debian.org
• Subject: Re: segfault in av1_cyclic_refresh_free()
• From: Boyuan Yang <byang@debian.org>
• Date: Fri, 18 Mar 2022 13:47:04 -0400
• Message-id: <c53e750b502b1f28cbf5bd18367fe80022de067d.camel@debian.org>
• In-reply-to: <9394797283de6dc7f8a85da6edb638d7e0133635.camel@debian.org>
• References: <162937106321.676927.14696497563757727886.reportbug@rs232.brz.gv.at> <9394797283de6dc7f8a85da6edb638d7e0133635.camel@debian.org>

Version: 3.3.0-1

I believe this bug is not present with aom 3.3.0. If you still can reproduce
it, please also send a minimal reproducible example to me so that I can
examine it.

Thanks,
Boyuan Yang

On Wed, 03 Nov 2021 23:15:56 -0400 Boyuan Yang <byang@debian.org> wrote:
> Control: tags -1 +moreinfo +unreproducible
> 
> Hi,
> 
> I could not reproduce this issue on current Debian 11 Stable, Debian
Testing
> and Debian Unstable. Could you verify that this is still crashing on your
> devices? If yes, please also consider providing the exact .jpg file that
would
> trigger the crashing.
> 
> Thanks,
> Boyuan Yang
> 
> On Thu, 19 Aug 2021 13:04:23 +0200 Philipp Marek <philipp@marek.priv.at>
> wrote:
> > Package: libaom0
> > Version: 1.0.0.errata1-3
> > Severity: normal
> > X-Debbugs-Cc: philipp@marek.priv.at
> > 
> > When using libaom0 (via ImageMagick's "convert" or gimp), it crashes 
> > when writing a avif:
> > 
> > 
> > $ gdb ... --args convert 20210812_215114.jpg 20210812_215114.avif
> > 
> > Thread 1 "convert" received signal SIGSEGV, Segmentation fault.
> > 0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at
> ./av1/encoder/aq_cyclicrefresh.c:83
> > 83      ./av1/encoder/aq_cyclicrefresh.c: Datei oder Verzeichnis nicht
> gefunden.
> > #0  0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at
> ./av1/encoder/aq_cyclicrefresh.c:83
> 
> 

Attachment: signature.asc
Description: This is a digitally signed message part

--- End Message ---