./stbi_read_fuzzer crash-b5c38be210708912f90ca54b7df36b77270293d8
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 584159441
INFO: Loaded 1 modules (7125 inline 8-bit counters): 7125 [0x55595e4bbf60, 0x55595e4bdb35),
INFO: Loaded 1 PC tables (7125 PCs): 7125 [0x55595e4bdb38,0x55595e4d9888),
./stbi_read_fuzzer: Running 1 inputs 1 time(s) each.
Running: crash-b5c38be210708912f90ca54b7df36b77270293d8
=================================================================
==153998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000001a4 at pc 0x55595e407f56 bp 0x7ffdb14103f0 sp 0x7ffdb14103e8
READ of size 2 at 0x6030000001a4 thread T0
#0 0x55595e407f55 in stbi__convert_16_to_8(unsigned short*, int, int, int) stbi_read_fuzzer.c
#1 0x55595e4005af in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) stbi_read_fuzzer.c
#2 0x55595e4073b9 in LLVMFuzzerTestOneInput (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x1713b9) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#3 0x55595e3263b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x903b3) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#4 0x55595e31012f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7a12f) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#5 0x55595e315e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7fe86) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#6 0x55595e33fca2 in main (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0xa9ca2) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#7 0x7f619b8dcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x7f619b8dce3f in __libc_start_main csu/../csu/libc-start.c:392:3
#9 0x55595e30a9f4 in _start (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x749f4) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
0x6030000001a4 is located 0 bytes to the right of 20-byte region [0x603000000190,0x6030000001a4)
allocated by thread T0 here:
#0 0x55595e3c2a2e in malloc (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x12ca2e) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#1 0x55595e419416 in stbi__convert_format(unsigned char*, int, int, unsigned int, unsigned int) stbi_read_fuzzer.c
#2 0x55595e40ebd4 in stbi__pnm_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) stbi_read_fuzzer.c
#3 0x55595e407ae0 in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) stbi_read_fuzzer.c
#4 0x55595e40046a in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) stbi_read_fuzzer.c
#5 0x55595e4073b9 in LLVMFuzzerTestOneInput (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x1713b9) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#6 0x55595e3263b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x903b3) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#7 0x55595e31012f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7a12f) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#8 0x55595e315e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7fe86) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#9 0x55595e33fca2 in main (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0xa9ca2) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
#10 0x7f619b8dcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow stbi_read_fuzzer.c in stbi__convert_16_to_8(unsigned short*, int, int, int)
Shadow bytes around the buggy address:
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 03 fa fa fa 00 00
0x0c067fff8010: 03 fa fa fa 00 00 00 00 fa fa 00 00 03 fa fa fa
0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
=>0x0c067fff8030: fa fa 00 00[04]fa fa fa 00 00 04 fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==153998==ABORTING
How to Crash
Command
$ git clone https://github.com/nothings/stb.git && cd test
$ clang++ -O1 -fsanitize=fuzzer -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -std=c++11 stbi_read_fuzzer.c -o out/stbi_read_fuzzer
$ ./stbi_read_fuzzer poc
Thanks for the report! The issue appears to be a duplicate of #1166, now fixed in the dev branch (your PoC works on current master but is fixed in dev). Fix will be in the next release.
Crash Info
How to Crash
Command
poc in attachment stb1-poc.zip