Bug#992495: segfault in av1_cyclic_refresh_free()

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#992495: segfault in av1_cyclic_refresh_free()
From: Philipp Marek <philipp@marek.priv.at>
Date: Thu, 19 Aug 2021 13:04:23 +0200
Message-id: <[🔎] 162937106321.676927.14696497563757727886.reportbug@rs232.brz.gv.at>
Reply-to: Philipp Marek <philipp@marek.priv.at>, 992495@bugs.debian.org
Package: libaom0
Version: 1.0.0.errata1-3
Severity: normal
X-Debbugs-Cc: philipp@marek.priv.at

When using libaom0 (via ImageMagick's "convert" or gimp), it crashes 
when writing a avif:


$ gdb ... --args convert 20210812_215114.jpg 20210812_215114.avif
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffd45b0700 (LWP 676100)]
[New Thread 0x7fffd3daf700 (LWP 676104)]
[New Thread 0x7fffd35ae700 (LWP 676105)]
[New Thread 0x7fffd2dad700 (LWP 676106)]
[New Thread 0x7fffd25ac700 (LWP 676107)]
[New Thread 0x7fffd1dab700 (LWP 676108)]
[New Thread 0x7fffd15aa700 (LWP 676109)]
[Thread 0x7fffd15aa700 (LWP 676109) exited]
[Thread 0x7fffd25ac700 (LWP 676107) exited]
[Thread 0x7fffd35ae700 (LWP 676105) exited]
[Thread 0x7fffd2dad700 (LWP 676106) exited]
[Thread 0x7fffd3daf700 (LWP 676104) exited]
[Thread 0x7fffd1dab700 (LWP 676108) exited]

Thread 1 "convert" received signal SIGSEGV, Segmentation fault.
0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
83      ./av1/encoder/aq_cyclicrefresh.c: Datei oder Verzeichnis nicht gefunden.
#0  0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
#1  0x00007ffff448c00d in dealloc_compressor_data (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:487
#2  av1_remove_compressor (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:2906
#3  0x00007ffff448e079 in av1_create_compressor (oxcf=oxcf@entry=0x5555555ef158, pool=0x5555555f86a0) at ./av1/encoder/encoder.c:2416
#4  0x00007ffff445130b in encoder_init (data=<optimized out>, ctx=<optimized out>) at ./av1/av1_cx_iface.c:1130
#5  encoder_init (ctx=<optimized out>, data=<optimized out>) at ./av1/av1_cx_iface.c:1094
#6  0x00007ffff42bede6 in aom_codec_enc_init_ver (ctx=0x7fffffff9b00, iface=<optimized out>, cfg=<optimized out>, flags=<optimized out>, ver=<optimized out>) at ./aom/src/aom_encoder.c:58
#7  0x00007ffff47b4673 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
#8  0x00007ffff4799d48 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
#9  0x00007ffff479a70d in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
#10 0x00007ffff478c5d9 in heif_context_encode_image () from /lib/x86_64-linux-gnu/libheif.so.1
#11 0x00007ffff7fb9ae3 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.9.11/modules-Q16/coders/heic.so
#12 0x00007ffff7d45644 in WriteImage () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
#13 0x00007ffff7d46069 in WriteImages () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
#14 0x00007ffff7bd7ca4 in ConvertImageCommand () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
#15 0x00007ffff7c42f80 in MagickCommandGenesis () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
#16 0x00005555555550fa in ?? ()
#17 0x00007ffff79fdd0a in __libc_start_main (main=0x5555555550b0, argc=3, argv=0x7fffffffdf38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf28) at ../csu/libc-start.c:308
#18 0x000055555555515a in ?? ()
#0  0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
No locals.
#1  0x00007ffff448c00d in dealloc_compressor_data (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:487
        cm = 0x7fffe8782130
        num_planes = 3
#2  av1_remove_compressor (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:2906
        cm = 0x7fffe8782130
        i = <optimized out>
        t = <optimized out>
        num_planes = 3
#3  0x00007ffff448e079 in av1_create_compressor (oxcf=oxcf@entry=0x5555555ef158, pool=0x5555555f86a0) at ./av1/encoder/encoder.c:2416
        i = <optimized out>
        cpi = 0x7fffe8434020
        cm = 0x7fffe8782130
#4  0x00007ffff445130b in encoder_init (data=<optimized out>, ctx=<optimized out>) at ./av1/av1_cx_iface.c:1130
        priv = <optimized out>
        res = <optimized out>
#5  encoder_init (ctx=<optimized out>, data=<optimized out>) at ./av1/av1_cx_iface.c:1094
        res = AOM_CODEC_OK
        priv = <optimized out>
#6  0x00007ffff42bede6 in aom_codec_enc_init_ver (ctx=0x7fffffff9b00, iface=<optimized out>, cfg=<optimized out>, flags=<optimized out>, ver=<optimized out>) at ./aom/src/aom_encoder.c:58
        res = <optimized out>
#7  0x00007ffff47b4673 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#8  0x00007ffff4799d48 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#9  0x00007ffff479a70d in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#10 0x00007ffff478c5d9 in heif_context_encode_image () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#11 0x00007ffff7fb9ae3 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.9.11/modules-Q16/coders/heic.so
No symbol table info available.
#12 0x00007ffff7d45644 in WriteImage () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#13 0x00007ffff7d46069 in WriteImages () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#14 0x00007ffff7bd7ca4 in ConvertImageCommand () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#15 0x00007ffff7c42f80 in MagickCommandGenesis () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#16 0x00005555555550fa in ?? ()
No symbol table info available.
#17 0x00007ffff79fdd0a in __libc_start_main (main=0x5555555550b0, argc=3, argv=0x7fffffffdf38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf28) at ../csu/libc-start.c:308
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 9069691304734393222, 93824992235824, 0, 0, 0, 2921518278079972230, 2921500960824132486}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7fffffffdf38}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}}
        not_first_call = <optimized out>
#18 0x000055555555515a in ?? ()
No symbol table info available.

Thread 2 (Thread 0x7fffd45b0700 (LWP 676100) "convert"):
#0  0x00007ffff6f875ee in ?? () from /lib/x86_64-linux-gnu/libgomp.so.1
No symbol table info available.
#1  0x00007ffff6f84dc0 in ?? () from /lib/x86_64-linux-gnu/libgomp.so.1
No symbol table info available.
#2  0x00007ffff6fb3ea7 in start_thread (arg=<optimized out>) at pthread_create.c:477
        ret = <optimized out>
        pd = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140736756123392, -2921518279167802490, 140737488329902, 140737488329903, 140736756121344, 8396800, 2921435583855494022, 2921502918206980998}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#3  0x00007ffff7ad4def in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.

Thread 1 (Thread 0x7ffff4ba9c40 (LWP 676091) "convert"):
#0  0x00007ffff4451b64 in av1_cyclic_refresh_free (cr=0x0) at ./av1/encoder/aq_cyclicrefresh.c:83
No locals.
#1  0x00007ffff448c00d in dealloc_compressor_data (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:487
        cm = 0x7fffe8782130
        num_planes = 3
#2  av1_remove_compressor (cpi=0x7fffe8434020) at ./av1/encoder/encoder.c:2906
        cm = 0x7fffe8782130
        i = <optimized out>
        t = <optimized out>
        num_planes = 3
#3  0x00007ffff448e079 in av1_create_compressor (oxcf=oxcf@entry=0x5555555ef158, pool=0x5555555f86a0) at ./av1/encoder/encoder.c:2416
        i = <optimized out>
        cpi = 0x7fffe8434020
        cm = 0x7fffe8782130
#4  0x00007ffff445130b in encoder_init (data=<optimized out>, ctx=<optimized out>) at ./av1/av1_cx_iface.c:1130
        priv = <optimized out>
        res = <optimized out>
#5  encoder_init (ctx=<optimized out>, data=<optimized out>) at ./av1/av1_cx_iface.c:1094
        res = AOM_CODEC_OK
        priv = <optimized out>
#6  0x00007ffff42bede6 in aom_codec_enc_init_ver (ctx=0x7fffffff9b00, iface=<optimized out>, cfg=<optimized out>, flags=<optimized out>, ver=<optimized out>) at ./aom/src/aom_encoder.c:58
        res = <optimized out>
#7  0x00007ffff47b4673 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#8  0x00007ffff4799d48 in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#9  0x00007ffff479a70d in ?? () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#10 0x00007ffff478c5d9 in heif_context_encode_image () from /lib/x86_64-linux-gnu/libheif.so.1
No symbol table info available.
#11 0x00007ffff7fb9ae3 in ?? () from /usr/lib/x86_64-linux-gnu/ImageMagick-6.9.11/modules-Q16/coders/heic.so
No symbol table info available.
#12 0x00007ffff7d45644 in WriteImage () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#13 0x00007ffff7d46069 in WriteImages () from /lib/x86_64-linux-gnu/libMagickCore-6.Q16.so.6
No symbol table info available.
#14 0x00007ffff7bd7ca4 in ConvertImageCommand () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#15 0x00007ffff7c42f80 in MagickCommandGenesis () from /lib/x86_64-linux-gnu/libMagickWand-6.Q16.so.6
No symbol table info available.
#16 0x00005555555550fa in ?? ()
No symbol table info available.
#17 0x00007ffff79fdd0a in __libc_start_main (main=0x5555555550b0, argc=3, argv=0x7fffffffdf38, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdf28) at ../csu/libc-start.c:308
        self = <optimized out>
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 9069691304734393222, 93824992235824, 0, 0, 0, 2921518278079972230, 2921500960824132486}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x3, 0x7fffffffdf38}, data = {prev = 0x0, cleanup = 0x0, canceltype = 3}}}
        not_first_call = <optimized out>
#18 0x000055555555515a in ?? ()
No symbol table info available.



-- System Information:
Debian Release: 11.0
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE=de_AT:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libaom0 depends on:
ii  libc6  2.31-13

libaom0 recommends no packages.

libaom0 suggests no packages.

-- no debconf information
Reply to:
Prev by Date: libaacs_0.11.0-2_source.changes ACCEPTED into unstable
Next by Date: Bug#992506: libmusicbrainz5 FTCBFS: needs a native build pass
Previous by thread: libaacs_0.11.0-2_source.changes ACCEPTED into unstable
Next by thread: Bug#992506: libmusicbrainz5 FTCBFS: needs a native build pass
Index(es):
- Date
- Thread