Memory allocation failed in function main at dec265.cc:708

[MandaCai]

Desctiption

dec265.cc:708 uint8_t* buf = (uint8_t*)malloc(length);
Segmentation fault due to excessive memory allocation，Here length is 0xb7fdf55f

Version

dec265  v1.0.12

git log
a267c847 (HEAD -> master, tag: v1.0.12, origin/master, origin/HEAD) increase version to v1.0.12

Steps to reproduce

git clone https://github.com/strukturag/libde265.git
cd libde265
./autogen.sh
export CFLAGS="-g -O0 -lpthread -fsanitize=address"
export CXXFLAGS="-g -O0 -lpthread -fsanitize=address"
export LDFLAGS="-fsanitize=address"
./configure --disable-shared
make -j
cd dec265
./dec265 -n poc
=================================================================
==703375==ERROR: AddressSanitizer: requested allocation size 0xffffffffb7fdf55f (0xffffffffb7fe0560 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x7face1531c47 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x555c97c6cc48 in main /home/freec/fuzz_normal/libde265/dec265/dec265.cc:708
    #2 0x7face0f15564 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x28564)

==703375==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 in __interceptor_malloc
==703375==ABORTING

POC

poc2.zip

GDB INFO

]
RAX: 0x4 
RBX: 0x0 
RCX: 0x5ff5fdb7 
RDX: 0x0 
RSI: 0x5ff5fdb7 
RDI: 0x555555571580 --> 0x0 
RBP: 0x55555556fae0 --> 0x7ffff7fba588 --> 0x7ffff7f635b0 (<_ZN15decoder_contextD2Ev>:	endbr64)
RSP: 0x7fffffff3e90 --> 0x58 ('X')
RIP: 0x555555556728 (<main(int, char**)+488>:	movzx  ebx,BYTE PTR [rsp+0x50])
R8 : 0x4 
R9 : 0x5555555727f8 --> 0x0 
R10: 0xd ('\r')
R11: 0x7ffff7f63580 (<_ZN11error_queue11get_warningEv>:	endbr64)
R12: 0x7fffffff3ec0 --> 0x1 
R13: 0x555555558083 ("WARNING: %s\n")
R14: 0x5555555714a0 --> 0xfbad2488 
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x555555556719 <main(int, char**)+473>:	mov    edx,0x4
   0x55555555671e <main(int, char**)+478>:	mov    esi,0x1
   0x555555556723 <main(int, char**)+483>:	call   0x555555556490
=> 0x555555556728 <main(int, char**)+488>:	movzx  ebx,BYTE PTR [rsp+0x50]
   0x55555555672d <main(int, char**)+493>:	movzx  eax,BYTE PTR [rsp+0x51]
   0x555555556732 <main(int, char**)+498>:	shl    ebx,0x18
   0x555555556735 <main(int, char**)+501>:	shl    eax,0x10
   0x555555556738 <main(int, char**)+504>:	add    ebx,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff3e90 --> 0x58 ('X')
0008| 0x7fffffff3e98 --> 0x7fffffff3ee0 --> 0x5ff5fdb7 
0016| 0x7fffffff3ea0 --> 0x0 
0024| 0x7fffffff3ea8 --> 0x0 
0032| 0x7fffffff3eb0 --> 0x6497fa03 
0040| 0x7fffffff3eb8 --> 0xac6a1 
0048| 0x7fffffff3ec0 --> 0x1 
0056| 0x7fffffff3ec8 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, main (argc=argc@entry=0x3, argv=argv@entry=0x7fffffffe018)
    at dec265.cc:708
708	        uint8_t* buf = (uint8_t*)malloc(length);
gdb-peda$ p length 
$2 = 0xb7fdf55f

[farindk]

Thank you