cd /path/to/davs2/build/linux/
./configure --enable-pic
vim config.mak (add -fsanitize=address to CFLAGS, and -fsanitize=address -lasan to LDFLAGS)
make
./davs2 -i /path/to/poc3 -o test.yuv
ASAN Crash log
=================================================================
==107031==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb6ae012c3c at pc 0x5600c2dccb94 bp 0x7fffa1b502f0 sp 0x7fffa1b502e0
WRITE of size 4 at 0x7fb6ae012c3c thread T0
0 0x5600c2dccb93 in vlc_read_alf_coeff /home/arayz/arayz/work/davs2/source/common/alf.cc:389
#1 0x5600c2dccb93 in davs2_alf_read_param /home/arayz/arayz/work/davs2/source/common/alf.cc:414
#2 0x5600c2d3772b in parse_picture_header_intra /home/arayz/arayz/work/davs2/source/common/header.cc:484
#3 0x5600c2d3772b in parse_picture_header /home/arayz/arayz/work/davs2/source/common/header.cc:705
#4 0x5600c2d3772b in davs2_parse_header /home/arayz/arayz/work/davs2/source/common/header.cc:1519
#5 0x5600c2d227e1 in decoder_decode_es_unit(davs2_mgr_t*, es_unit_t*) /home/arayz/arayz/work/davs2/source/common/davs2.cc:600
#6 0x5600c2d22fd9 in davs2_decoder_send_packet /home/arayz/arayz/work/davs2/source/common/davs2.cc:676
#7 0x5600c2d20698 in test_decoder /home/arayz/arayz/work/davs2/source/test/test.c:231
#8 0x5600c2d217bc in main /home/arayz/arayz/work/davs2/source/test/test.c:329
#9 0x7fb6c28e2082 in __libc_start_main ../csu/libc-start.c:308
#10 0x5600c2d1c52d in _start (/home/arayz/arayz/work/davs2/build/linux/davs2+0xc52d)
0x7fb6ae012c3d is located 0 bytes to the right of 3028029-byte region [0x7fb6add2f800,0x7fb6ae012c3d)
allocated by thread T0 here:
0 0x7fb6c2f2c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x5600c2d295e9 in davs2_malloc /home/arayz/arayz/work/davs2/source/common/common.h:1240
#2 0x5600c2d295e9 in davs2_decoder_alloc_extra_buffer /home/arayz/arayz/work/davs2/source/common/decoder.cc:838
#3 0x7fb6bfb4f3bf (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/arayz/arayz/work/davs2/source/common/alf.cc:389 in vlc_read_alf_coeff
Shadow bytes around the buggy address:
0x0ff755bfa530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff755bfa540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff755bfa550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff755bfa560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff755bfa570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff755bfa580: 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa fa
0x0ff755bfa590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff755bfa5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff755bfa5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff755bfa5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff755bfa5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==107031==ABORTING
Additional context
OS: Ubuntu 22.04 (server)
Compiler gcc version 11.2.0 (Ubuntu 11.2.0-19ubuntu1)
Describe the bug
=============================================================================================
static void vlc_read_alf_coeff(davs2_bs_t bs, alf_param_t alf_param) { const int numCoeff = ALF_MAX_NUM_COEF; int f, symbol, pre_symbole; int pos;
=============================================================================================
To Reproduce
cd /path/to/davs2/build/linux/ ./configure --enable-pic vim config.mak (add -fsanitize=address to CFLAGS, and -fsanitize=address -lasan to LDFLAGS) make ./davs2 -i /path/to/poc3 -o test.yuv
ASAN Crash log
================================================================= ==107031==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb6ae012c3c at pc 0x5600c2dccb94 bp 0x7fffa1b502f0 sp 0x7fffa1b502e0 WRITE of size 4 at 0x7fb6ae012c3c thread T0
0 0x5600c2dccb93 in vlc_read_alf_coeff /home/arayz/arayz/work/davs2/source/common/alf.cc:389
0x7fb6ae012c3d is located 0 bytes to the right of 3028029-byte region [0x7fb6add2f800,0x7fb6ae012c3d) allocated by thread T0 here:
0 0x7fb6c2f2c808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/arayz/arayz/work/davs2/source/common/alf.cc:389 in vlc_read_alf_coeff Shadow bytes around the buggy address: 0x0ff755bfa530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff755bfa570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff755bfa580: 00 00 00 00 00 00 00[05]fa fa fa fa fa fa fa fa 0x0ff755bfa590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0ff755bfa5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==107031==ABORTING
Additional context
PoC: poc3.zip