A heap-buffer-overflow in png.c:277:21
Brought to you by:
amadvance
Ubuntu X64, gcc (Ubuntu 5.5.0-12ubuntu1), advpng (advancecomp-2.1)
./advpng -z -i 1 -q ./heap-overflow-adv_png_unfilter_8-png-272
================================================================= ==68103==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000009a0 at pc 0x0000005480fa bp 0x7ffc9a53efc0 sp 0x7ffc9a53efb8 READ of size 1 at 0x6190000009a0 thread T0 #0 0x5480f9 in adv_png_unfilter_8 /home/seviezhou/advancecomp/lib/png.c:277:21 #1 0x54b70c in adv_png_read_ihdr /home/seviezhou/advancecomp/lib/png.c:766:4 #2 0x54c85c in adv_png_read_rns /home/seviezhou/advancecomp/lib/png.c:860:9 #3 0x51e083 in convert_f(adv_fz_struct*, adv_fz_struct*) /home/seviezhou/advancecomp/repng.cc:142:6 #4 0x51e80d in convert_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/seviezhou/advancecomp/repng.cc:193:3 #5 0x5215d1 in rezip_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/seviezhou/advancecomp/repng.cc:283:4 #6 0x522b41 in rezip_all(int, char**) /home/seviezhou/advancecomp/repng.cc:317:3 #7 0x5258da in process(int, char**) /home/seviezhou/advancecomp/repng.cc:476:3 #8 0x526647 in main /home/seviezhou/advancecomp/repng.cc:489:3 #9 0x7f588f04483f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 #10 0x41ccf8 in _start (/home/seviezhou/advancecomp/advpng+0x41ccf8) 0x6190000009a0 is located 0 bytes to the right of 1056-byte region [0x619000000580,0x6190000009a0) allocated by thread T0 here: #0 0x4e0f08 in __interceptor_malloc /home/seviezhou/llvm-6.0.0/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88 #1 0x54b405 in adv_png_read_ihdr /home/seviezhou/advancecomp/lib/png.c:723:13 #2 0x54c85c in adv_png_read_rns /home/seviezhou/advancecomp/lib/png.c:860:9 #3 0x51e083 in convert_f(adv_fz_struct*, adv_fz_struct*) /home/seviezhou/advancecomp/repng.cc:142:6 #4 0x51e80d in convert_inplace(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/seviezhou/advancecomp/repng.cc:193:3 #5 0x5215d1 in rezip_single(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, unsigned long long&, unsigned long long&) /home/seviezhou/advancecomp/repng.cc:283:4 #6 0x522b41 in rezip_all(int, char**) /home/seviezhou/advancecomp/repng.cc:317:3 #7 0x5258da in process(int, char**) /home/seviezhou/advancecomp/repng.cc:476:3 #8 0x526647 in main /home/seviezhou/advancecomp/repng.cc:489:3 #9 0x7f588f04483f in __libc_start_main /build/glibc-e6zv40/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seviezhou/advancecomp/lib/png.c:277:21 in adv_png_unfilter_8 Shadow bytes around the buggy address: 0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff8130: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==68103==ABORTING