syoyo/tinyexr

SEGV on unknown address in tinyexr.h:5779

yangfar opened this issue · 2 comments

yangfar commented

Describe the issue
When i test the test_tinyexr with afl++, some crashes arose in tinyexr.h:5779.

To Reproduce
Steps to reproduce the behavior:
$ git clone https://github.com/syoyo/tinyexr.git
$ cd tinyext
$ export CFLAGS="-fsanitize=address"
$ export CXXFLAGS="-fsanitize=address"
$ export CC=afl-clang-fast
$ export CXX=afl-clang-fast++
$ export AFL_USE_ASAN=1
$ mkdir build
$ cd build
$ make -j8
Compile TinyEXR with Address Sanitizer

run
./test_tinyexr ./poc

Environment
OS: Ubuntu 20.04.2 LTS
gcc: 9.4.0

Error

`AddressSanitizer:DEADLYSIGNAL

==1365598==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb24cfa130a (pc 0x0000004e5c2b bp 0x7ffc47299350 sp 0x7ffc47298b60 T0)
==1365598==The signal is caused by a READ memory access.
#0 0x4e5c2b in tinyexr::ReconstructTileOffsets(tinyexr::OffsetData&, TEXRHeader const*, unsigned char const*, unsigned char const*, unsigned long, bool, bool) /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:5779:9
#1 0x4e5c2b in tinyexr::DecodeEXRImage(TEXRImage*, TEXRHeader const*, unsigned char const*, unsigned char const*, unsigned long, char const**) /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:5984:12
#2 0x4e24a6 in LoadEXRImageFromMemory /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6958:10
#3 0x4d173a in LoadEXRImageFromFile /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6935:10
#4 0x4cb72f in LoadEXRWithLayer /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6234:15
#5 0x5181f4 in LoadEXR /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6181:10
#6 0x5181f4 in test_main(int, char**) /home/yzy/fuzzsoftware/tinyexr-release/test_tinyexr.cc:223:9
#7 0x5181f4 in main /home/yzy/fuzzsoftware/tinyexr-release/test_tinyexr.cc:194:42
#8 0x7fb2cfb57082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41d74d in _start (/home/yzy/fuzzsoftware/tinyexr-release/test_tinyexr+0x41d74d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:5779:9 in tinyexr::ReconstructTileOffsets(tinyexr::OffsetData&, TEXRHeader const*, unsigned char const*, unsigned char const*, unsigned long, bool, bool)
==1365598==ABORTING`

Poc
Poc.zip

syoyo commented

Fixed via 6e8cac3

yangfar commented

Thanks!