Stack-use-after-scope in Grid async decoding #1627
Description
Description
Decoding a crafted HEIF grid image triggers stack-use-after-scope at libheif/image-items/grid.cc:498. The lambda passed to std::async captures a reference to the destroyed stack variable progress_counter, leading to info-leak or potential DoS.
Replay
git clone https://github.com/strukturag/libheif.git
cd libheif
CC=afl-clang-fast CXX=afl-clang-fast++ \
cmake .. \
-DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" \
-DCMAKE_CXX_FLAGS="-fsanitize=address,undefined -fno-omit-frame-pointer" \
-DBUILD_SHARED_LIBS=OFF \
-DENABLE_PLUGIN_LOADING=OFF
make -j$(nproc) heif-dec
./examples/heif-dec -o /tmp/c.png poc-stack-use-after-scope.heic
ASAN
File contains 2 images
=================================================================
==3856201==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffefb5f7690 at pc 0x5c2db2ad4229 bp 0x74c95fbfd370 sp 0x74c95fbfd368
READ of size 4 at 0x7ffefb5f7690 thread T2
#0 0x5c2db2ad4228 in ImageItem_Grid::decode_and_paste_tile_image(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const /home/suziqi/模糊测试/libheif_fuzz/libheif/libheif/image-items/grid.cc:498:51
#1 0x5c2db2af63be in Error std::__invoke_impl<Error, Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> >(std::__invoke_memfun_deref, Error (ImageItem_Grid::*&&)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*&&, unsigned int&&, unsigned int&&, unsigned int&&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >&&, heif_decoding_options&&, std::reference_wrapper<int>&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:74:14
#2 0x5c2db2af63be in std::__invoke_result<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> >::type std::__invoke<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> >(Error (ImageItem_Grid::*&&)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*&&, unsigned int&&, unsigned int&&, unsigned int&&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >&&, heif_decoding_options&&, std::reference_wrapper<int>&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:96:14
#3 0x5c2db2af63be in Error std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >::_M_invoke<0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul>(std::_Index_tuple<0ul, 1ul, 2ul, 3ul, 4ul, 5ul, 6ul, 7ul>) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_thread.h:259:13
#4 0x5c2db2af58e3 in std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >::operator()() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_thread.h:266:11
#5 0x5c2db2af58e3 in std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/future:1386:27
#6 0x5c2db2af5436 in std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter> std::__invoke_impl<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>&>(std::__invoke_other, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:61:14
#7 0x5c2db2af5436 in std::enable_if<is_invocable_r_v<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>&>, std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> >::type std::__invoke_r<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter>, std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>&>(std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/invoke.h:114:9
#8 0x5c2db2af5436 in std::_Function_handler<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> (), std::__future_base::_Task_setter<std::unique_ptr<std::__future_base::_Result<Error>, std::__future_base::_Result_base::_Deleter>, std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error> >::_M_invoke(std::_Any_data const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:290:9
#9 0x5c2db2af4d02 in std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>::operator()() const /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/std_function.h:590:9
#10 0x5c2db2af4d02 in std::__future_base::_State_baseV2::_M_do_set(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/future:571:27
#11 0x74c962899ee7 in __pthread_once_slow nptl/./nptl/pthread_once.c:116:7
#12 0x5c2db2af4047 in __gthread_once(int*, void (*)()) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/x86_64-linux-gnu/c++/11/bits/gthr-default.h:700:12
#13 0x5c2db2af4047 in void std::call_once<void (std::__future_base::_State_baseV2::*)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*>(std::once_flag&, void (std::__future_base::_State_baseV2::*&&)(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*, bool*), std::__future_base::_State_baseV2*&&, std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>*&&, bool*&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/mutex:783:21
#14 0x5c2db2af4047 in std::__future_base::_State_baseV2::_M_set_result(std::function<std::unique_ptr<std::__future_base::_Result_base, std::__future_base::_Result_base::_Deleter> ()>, bool) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/future:411:2
#15 0x5c2db2af2278 in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>::_M_run() /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/future:1748:6
#16 0x74c962cdc252 (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc252) (BuildId: e72c155b714bc42a767ec9c0dd94589110e5b42f)
#17 0x74c962894ac2 in start_thread nptl/./nptl/pthread_create.c:442:8
#18 0x74c9629268bf misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
Address 0x7ffefb5f7690 is located in stack of thread T0 at offset 1328 in frame
#0 0x5c2db2ac8f9f in ImageItem_Grid::decode_full_grid_image(heif_decoding_options const&) const /home/suziqi/模糊测试/libheif_fuzz/libheif/libheif/image-items/grid.cc:232
This frame has 35 object(s):
[32, 40) '__reset.i1610'
[64, 72) '__reset.i'
[96, 128) 'ref.tmp.i.i'
[160, 176) 'ref.tmp.i'
[192, 224) 'agg.tmp.i.i.i.i'
[256, 288) 'agg.tmp2.i.i.i.i'
[320, 352) '__new_finish.i.i'
[384, 400) 'img' (line 233)
[416, 808) 'sstr' (line 244)
[880, 920) 'ref.tmp' (line 247)
[960, 992) 'ref.tmp44' (line 247)
[1024, 1064) 'err' (line 258)
[1104, 1184) 'tiles' (line 274)
[1216, 1296) 'errs' (line 278)
[1328, 1332) 'progress_counter' (line 291) <== Memory access at offset 1328 is inside this variable
[1344, 1360) 'tileImg' (line 301)
[1376, 1416) 'ref.tmp200' (line 303)
[1456, 1488) 'ref.tmp201' (line 303)
[1520, 1560) 'error' (line 307)
[1600, 1640) 'ref.tmp258' (line 313)
[1680, 1720) 'ref.tmp301' (line 320)
[1760, 1792) 'ref.tmp302' (line 320)
[1824, 1864) 'ref.tmp331' (line 331)
[1904, 1936) 'ref.tmp332' (line 331)
[1968, 2008) 'ref.tmp397' (line 350)
[2048, 2088) 'e' (line 374)
[2128, 2140) 'data' (line 392)
[2160, 2176) 'ref.tmp524' (line 395)
[2192, 2208) 'ref.tmp525' (line 395)
[2224, 2232) 'ref.tmp527' (line 395)
[2256, 2264) 'ref.tmp535' (line 395)
[2288, 2296) 'ref.tmp541' (line 395)
[2320, 2360) 'e563' (line 404)
[2400, 2440) 'ref.tmp606' (line 419)
[2480, 2512) 'ref.tmp607' (line 419)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /home/suziqi/模糊测试/libheif_fuzz/libheif/libheif/image-items/grid.cc:498:51 in ImageItem_Grid::decode_and_paste_tile_image(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const
Shadow bytes around the buggy address:
0x10005f6b6e80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10005f6b6e90: f8 f2 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8 f8 f2
0x10005f6b6ea0: f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 00 00 00 00
0x10005f6b6eb0: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
0x10005f6b6ec0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 f2 f2
=>0x10005f6b6ed0: f2 f2[f8]f2 f8 f8 f2 f2 f8 f8 f8 f8 f8 f2 f2 f2
0x10005f6b6ee0: f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8 f8 f8 f8 f2
0x10005f6b6ef0: f2 f2 f2 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8
0x10005f6b6f00: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2
0x10005f6b6f10: f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f8 f2 f2
0x10005f6b6f20: f2 f2 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T2 created by T0 here:
==3856201==WARNING: Symbolizer buffer too small
#0 0x5c2db29846cc in __interceptor_pthread_create (/home/suziqi/模糊测试/libheif_fuzz/libheif/build_asan/examples/heif-dec+0x11c6cc) (BuildId: 2ba3f611049db29037a630c6e35eb57dc691da79)
#1 0x74c962cdc328 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xdc328) (BuildId: e72c155b714bc42a767ec9c0dd94589110e5b42f)
#2 0x5c2db2af1dad in std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>::_Async_state_impl<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int&, unsigned int&, unsigned int&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options const&, std::reference_wrapper<int> >(Error (ImageItem_Grid::*&&)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*&&, unsigned int&, unsigned int&, unsigned int&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >&&, heif_decoding_options const&, std::reference_wrapper<int>&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/future:1730:16
#3 0x5c2db2ad5b28 (/home/suziqi/模糊测试/libheif_fuzz/libheif/build_asan/examples/heif-dec+0x26db28) (BuildId: 2ba3f611049db29037a630c6e35eb57dc691da79)
#4 0x5c2db2ace573 in reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error> > std::make_shared<std::__future_base::_Async_state_impl<std::thread::_Invoker<std::tuple<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int, unsigned int, unsigned int, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options, std::reference_wrapper<int> > >, Error>, Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int&, unsigned int&, unsigned int&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options const&, std::reference_wrapper<int> >(Error (ImageItem_Grid::*&&)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*&&, unsigned int&, unsigned int&, unsigned int&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >&&, heif_decoding_options const&, std::reference_wrapper<int>&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/shared_ptr.h:878:14
#5 0x5c2db2ace573 in std::future<std::__invoke_result<std::decay<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const>::type, std::decay<ImageItem_Grid const*>::type, std::decay<unsigned int&>::type, std::decay<unsigned int&>::type, std::decay<unsigned int&>::type, std::decay<std::reference_wrapper<std::shared_ptr<HeifPixelImage> > >::type, std::decay<heif_decoding_options const&>::type, std::decay<std::reference_wrapper<int> >::type>::type> std::async<Error (ImageItem_Grid::*)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*, unsigned int&, unsigned int&, unsigned int&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >, heif_decoding_options const&, std::reference_wrapper<int> >(std::launch, Error (ImageItem_Grid::*&&)(unsigned int, unsigned int, unsigned int, std::shared_ptr<HeifPixelImage>&, heif_decoding_options const&, int&) const, ImageItem_Grid const*&&, unsigned int&, unsigned int&, unsigned int&, std::reference_wrapper<std::shared_ptr<HeifPixelImage> >&&, heif_decoding_options const&, std::reference_wrapper<int>&&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/future:1779:18
#6 0x5c2db2ac80fe in ImageItem_Grid::decode_full_grid_image(heif_decoding_options const&) const /home/suziqi/模糊测试/libheif_fuzz/libheif/libheif/image-items/grid.cc:395:22
#7 0x5c2db2aa09ae in ImageItem::decode_image(heif_decoding_options const&, bool, unsigned int, unsigned int) const /home/suziqi/模糊测试/libheif_fuzz/libheif/libheif/image-items/image_item.cc:705:60
#8 0x5c2db2ddd763 in HeifContext::decode_image(unsigned int, heif_colorspace, heif_chroma, heif_decoding_options const&, bool, unsigned int, unsigned int) const /home/suziqi/模糊测试/libheif_fuzz/libheif/libheif/context.cc:1290:34
#9 0x5c2db2a60ac3 in heif_decode_image /home/suziqi/模糊测试/libheif_fuzz/libheif/libheif/api/libheif/heif_decoding.cc:236:81
#10 0x5c2db29d9d76 in decode_single_image(heif_image_handle*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, heif_decoding_options*, std::unique_ptr<Encoder, std::default_delete<Encoder> >&) /home/suziqi/模糊测试/libheif_fuzz/libheif/examples/heif_dec.cc:241:9
#11 0x5c2db29e983c in main /home/suziqi/模糊测试/libheif_fuzz/libheif/examples/heif_dec.cc:1026:13
#12 0x74c962829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
==3856201==ABORTING
POC
https://github.com/minasrmy/poc/blob/main/poc-stack-use-after-scope.heic
