-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AddressSanitizer: heap-use-after-free in stbi__jpeg_huff_decode #1289
Comments
I did a quick analysis of how this file seems to cause an invalid memory access, and I think I may have a fix in PR #1297. Loading this file results in a couple of invalid memory accesses in
Digging a bit deeper reveals that this file results in running over the bounds of the arrays in stbi__huffman in two other places. The first is in the "DHT - define huffman table" block in
v (either The second place is in
This is more or less the same as the first case: if the sum of |
Mainstream pull requests: nothings/stb#1230 nothings/stb#1223 nothings/stb#1297 Related mainstream issue tickets: nothings/stb#1224 nothings/stb#1225 nothings/stb#1289 nothings/stb#1291 nothings/stb#1292 nothings/stb#1293
Neil's fixes are merged into the dev branch and will be in the next release. |
Fixed in 2.28. |
Describe the bug
UndefinedBehaviorSanitizer: undefined-behavior: index out of bounds + AddressSanitizer: heap-use-after-free in stbi__jpeg_huff_decode.
To Reproduce
Built stb according to the oss-fuzz script with
CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'
ASAN Output
Crashing file
The text was updated successfully, but these errors were encountered: