Describe the bug

=============================================================================================

static void vlc_read_alf_coeff(davs2_bs_t bs, alf_param_t alf_param) { const int numCoeff = ALF_MAX_NUM_COEF; int f, symbol, pre_symbole; int pos;

switch (alf_param->componentID) {
case IMG_U:
case IMG_V:
    for (pos = 0; pos < numCoeff; pos++) {
        alf_param->coeffmulti[0][pos] = se_v(bs, "Chroma ALF coefficients");
    }
    break;
case IMG_Y:
    alf_param->filters_per_group = ue_v(bs, "ALF filter number");
    alf_param->filters_per_group = alf_param->filters_per_group + 1;

    memset(alf_param->filterPattern, 0, ALF_NUM_VARS * sizeof(int));
    pre_symbole = 0;
    symbol = 0;
    for (f = 0; f < alf_param->filters_per_group; f++) {
        if (f > 0) {
            if (alf_param->filters_per_group != 16) {
                symbol = ue_v(bs, "Region distance");
            } else {
                symbol = 1;
            }
            alf_param->filterPattern[symbol + pre_symbole] = 1;
            pre_symbole += symbol;
        }

        for (pos = 0; pos < numCoeff; pos++) {
            alf_param->coeffmulti[f][pos] = se_v(bs, "Luma ALF coefficients");      //   <------  out of bounds here
        }
    }
    break;

=============================================================================================

To Reproduce

cd /path/to/davs2/build/linux/ ./configure --enable-pic vim config.mak (add -fsanitize=address to CFLAGS, and -fsanitize=address -lasan to LDFLAGS) make ./davs2 -i /path/to/poc3 -o test.yuv

ASAN Crash log

================================================================= ==107031==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb6ae012c3c at pc 0x5600c2dccb94 bp 0x7fffa1b502f0 sp 0x7fffa1b502e0 WRITE of size 4 at 0x7fb6ae012c3c thread T0

0 0x5600c2dccb93 in vlc_read_alf_coeff /home/arayz/arayz/work/davs2/source/common/alf.cc:389

#1 0x5600c2dccb93 in davs2_alf_read_param /home/arayz/arayz/work/davs2/source/common/alf.cc:414
#2 0x5600c2d3772b in parse_picture_header_intra /home/arayz/arayz/work/davs2/source/common/header.cc:484
#3 0x5600c2d3772b in parse_picture_header /home/arayz/arayz/work/davs2/source/common/header.cc:705
#4 0x5600c2d3772b in davs2_parse_header /home/arayz/arayz/work/davs2/source/common/header.cc:1519
#5 0x5600c2d227e1 in decoder_decode_es_unit(davs2_mgr_t*, es_unit_t*) /home/arayz/arayz/work/davs2/source/common/davs2.cc:600
#6 0x5600c2d22fd9 in davs2_decoder_send_packet /home/arayz/arayz/work/davs2/source/common/davs2.cc:676
#7 0x5600c2d20698 in test_decoder /home/arayz/arayz/work/davs2/source/test/test.c:231
#8 0x5600c2d217bc in main /home/arayz/arayz/work/davs2/source/test/test.c:329
#9 0x7fb6c28e2082 in __libc_start_main ../csu/libc-start.c:308
#10 0x5600c2d1c52d in _start (/home/arayz/arayz/work/davs2/build/linux/davs2+0xc52d)

0x7fb6ae012c3d is located 0 bytes to the right of 3028029-byte region [0x7fb6add2f800,0x7fb6ae012c3d) allocated by thread T0 here:

0 0x7fb6c2f2c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144

#1 0x5600c2d295e9 in davs2_malloc /home/arayz/arayz/work/davs2/source/common/common.h:1240
#2 0x5600c2d295e9 in davs2_decoder_alloc_extra_buffer /home/arayz/arayz/work/davs2/source/common/decoder.cc:838
#3 0x7fb6bfb4f3bf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/arayz/arayz/work/davs2/source/common/alf.cc:389 in vlc_read_alf_coeff Shadow bytes around the buggy address: 0x0ff755bfa530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff755bfa580: 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa fa 0x0ff755bfa590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==107031==ABORTING

Additional context

OS: Ubuntu 22.04 (server)
Compiler gcc version 11.2.0 (Ubuntu 11.2.0-19ubuntu1)

PoC: poc3.zip

pkuvcl / davs2

Heap-buffer-overflow in vlc_read_alf_coeff() --> davs2/source/common/alf.cc:389 #31

0 0x5600c2dccb93 in vlc_read_alf_coeff /home/arayz/arayz/work/davs2/source/common/alf.cc:389

0 0x7fb6c2f2c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144