A heap overflow vulnerability exists in the function stbi__convert_16_to_8 in stb

[migraine-sudo]

Crash Info

 ./stbi_read_fuzzer crash-b5c38be210708912f90ca54b7df36b77270293d8 
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 584159441
INFO: Loaded 1 modules   (7125 inline 8-bit counters): 7125 [0x55595e4bbf60, 0x55595e4bdb35), 
INFO: Loaded 1 PC tables (7125 PCs): 7125 [0x55595e4bdb38,0x55595e4d9888), 
./stbi_read_fuzzer: Running 1 inputs 1 time(s) each.
Running: crash-b5c38be210708912f90ca54b7df36b77270293d8
=================================================================
==153998==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000001a4 at pc 0x55595e407f56 bp 0x7ffdb14103f0 sp 0x7ffdb14103e8
READ of size 2 at 0x6030000001a4 thread T0
    #0 0x55595e407f55 in stbi__convert_16_to_8(unsigned short*, int, int, int) stbi_read_fuzzer.c
    #1 0x55595e4005af in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) stbi_read_fuzzer.c
    #2 0x55595e4073b9 in LLVMFuzzerTestOneInput (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x1713b9) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #3 0x55595e3263b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x903b3) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #4 0x55595e31012f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7a12f) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #5 0x55595e315e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7fe86) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #6 0x55595e33fca2 in main (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0xa9ca2) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #7 0x7f619b8dcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x7f619b8dce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #9 0x55595e30a9f4 in _start (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x749f4) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)

0x6030000001a4 is located 0 bytes to the right of 20-byte region [0x603000000190,0x6030000001a4)
allocated by thread T0 here:
    #0 0x55595e3c2a2e in malloc (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x12ca2e) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #1 0x55595e419416 in stbi__convert_format(unsigned char*, int, int, unsigned int, unsigned int) stbi_read_fuzzer.c
    #2 0x55595e40ebd4 in stbi__pnm_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) stbi_read_fuzzer.c
    #3 0x55595e407ae0 in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) stbi_read_fuzzer.c
    #4 0x55595e40046a in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) stbi_read_fuzzer.c
    #5 0x55595e4073b9 in LLVMFuzzerTestOneInput (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x1713b9) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #6 0x55595e3263b3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x903b3) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #7 0x55595e31012f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7a12f) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #8 0x55595e315e86 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x7fe86) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #9 0x55595e33fca2 in main (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0xa9ca2) (BuildId: 662d86c2fe17b51b5b8960ad24d6485a066f1fd7)
    #10 0x7f619b8dcd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow stbi_read_fuzzer.c in stbi__convert_16_to_8(unsigned short*, int, int, int)
Shadow bytes around the buggy address:
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 03 fa fa fa 00 00
  0x0c067fff8010: 03 fa fa fa 00 00 00 00 fa fa 00 00 03 fa fa fa
  0x0c067fff8020: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
=>0x0c067fff8030: fa fa 00 00[04]fa fa fa 00 00 04 fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==153998==ABORTING

How to Crash

Command

$ git clone https://github.com/nothings/stb.git && cd test
$ clang++ -O1 -fsanitize=fuzzer -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr -std=c++11 stbi_read_fuzzer.c  -o out/stbi_read_fuzzer
$ ./stbi_read_fuzzer poc

poc in attachment stb1-poc.zip

[rygorous]

Thanks for the report! The issue appears to be a duplicate of #1166, now fixed in the dev branch (your PoC works on current master but is fixed in dev). Fix will be in the next release.