search

nothings / stb

stb single-file public domain libraries for C/C++
https://twitter.com/nothings
Other
25.99k stars 7.67k forks source link

heap-buffer-overflow on stbi_load with bad req_comp when DISABLE ASSERT (-DNDEBUG) #1516

Open frokaikan opened 10 months ago

frokaikan commented 10 months ago

Describe the bug stbi_load (or clearly, stbi__tga_load) should return immidiately with bad req_comp, but it leads to heap-buffer-overflow

To Reproduce Here is the code:

#define STB_IMAGE_IMPLEMENTATION
#include "stb_image.h"

int main (int argc, char** argv) {
    int outx, outy, comp;
    stbi_load(argv[1], &outx, &outy, &comp, 11); // bad req_comp
}

and here is the input file: testData.txt

Expected behavior compile with AddressSanitizer (-fsanitize=address), and disable assert (-DNDEBUG) stbi_load should return with an error code, and the function should return directly. But AddressSanitizer reports like this:

=================================================================
==1420547==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f1cf72fee16 at pc 0x56410d36086e bp 0x7ffee63fd100 sp 0x7ffee63fd0f8
READ of size 1 at 0x7f1cf72fee16 thread T0
    #0 0x56410d36086d in stbi__convert_format(unsigned char*, int, int, unsigned int, unsigned int) stb/TDDSuite_build/../stb_image.h:1780:52
    #1 0x56410d35aee4 in stbi__tga_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) stb/TDDSuite_build/../stb_image.h:6064:18
    #2 0x56410d34f571 in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) stb/TDDSuite_build/../stb_image.h:1182:14
    #3 0x56410d3485c7 in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) stb/TDDSuite_build/../stb_image.h:1261:19
    #4 0x56410d3482e0 in stbi_load_from_file stb/TDDSuite_build/../stb_image.h:1379:13
    #5 0x56410d348097 in stbi_load stb/TDDSuite_build/../stb_image.h:1369:13
    #6 0x56410d34ee9a in main stb/TDDSuite_build/test.cc:6:5
    #7 0x7f1cf79da082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x56410d28543d in _start (stb/TDDSuite_build/test.exe+0x2343d)

0x7f1cf72fee16 is located 0 bytes to the right of 255510-byte region [0x7f1cf72c0800,0x7f1cf72fee16)
allocated by thread T0 here:
    #0 0x56410d30a10e in malloc /home/frokaikan/Desktop/workspace/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x56410d34cb46 in stbi__malloc(unsigned long) stb/TDDSuite_build/../stb_image.h:985:12
    #2 0x56410d36baf4 in stbi__malloc_mad3(int, int, int, int) stb/TDDSuite_build/../stb_image.h:1056:11
    #3 0x56410d359f35 in stbi__tga_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) stb/TDDSuite_build/../stb_image.h:5926:31
    #4 0x56410d34f571 in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) stb/TDDSuite_build/../stb_image.h:1182:14
    #5 0x56410d3485c7 in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) stb/TDDSuite_build/../stb_image.h:1261:19
    #6 0x56410d3482e0 in stbi_load_from_file stb/TDDSuite_build/../stb_image.h:1379:13
    #7 0x56410d348097 in stbi_load stb/TDDSuite_build/../stb_image.h:1369:13
    #8 0x56410d34ee9a in main stb/TDDSuite_build/test.cc:6:5
    #9 0x7f1cf79da082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Screenshots