Stack buffer overflow found in common_kernels.c

[fCorleone]

==2602==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc4f3617c at pc 0x0000004b23dd bp 0x7ffdc4f35270 sp 0x7ffdc4f35260 READ of size 4 at 0x7ffdc4f3617c thread T0 #0 0x4b23dc in scale_frame_down2x2_simd_lbd common/common_kernels.c:1849 #1 0x4e57b7 in interpolate_frames_lbd common/temporal_interp.c:950 #2 0x4273b0 in decode_frame dec/decode_frame.c:110 #3 0x402934 in main dec/maindec.c:179 #4 0x7f16740a582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x406ce8 in _start (/home/mfc_fuzz/thor/build/Thordec+0x406ce8)

Address 0x7ffdc4f3617c is located in stack of thread T0 at offset 2492 in frame #0 0x4020af in main dec/maindec.c:97

This frame has 9 object(s): [32, 40) 'infile' [96, 104) 'outfile' [160, 172) 'tot_bits' [224, 352) 'rec_available' [384, 2472) 'stream' <== Memory access at offset 2492 overflows this variable [2528, 5696) 'rec' [5728, 8896) 'ref' [8928, 33992) 'bit_count' [34048, 63424) 'decoder_info' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions are supported) SUMMARY: AddressSanitizer: stack-buffer-overflow common/common_kernels.c:1849 scale_frame_down2x2_simd_lbd Shadow bytes around the buggy address: 0x1000389debd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389debe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389debf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389dec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389dec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x1000389dec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4[f4] 0x1000389dec30: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389dec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389dec50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389dec60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000389dec70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==2602==ABORTING The input file has been put at :https://github.com/fCorleone/fuzz_programs/blob/master/thor/test2.bit The command line is ./Thordec test2.bit out the program was compiled by afl-gcc with ASAN mode.

[stemidts]

Thanks for the report. Can you specify the commit id you're using to decode?

[fCorleone]

I have checked the commit id, it's commit e42047d.It's strange that I cloned the code from the https://github.com/cisco/thor.git 12 days ago. Does it mean that I would get the latest version of the code? But when I check the commit id using command line:

git reflog

I got this :

e42047d HEAD@{0}: clone: from https://github.com/cisco/thor.git

[stemidts]

Duplicate of #36