Recent changes to 57: out of bounds heap read in dirac::VHFilter::Interleavehttps://sourceforge.net/p/dirac/bugs/57/2017-07-01T21:28:47.762000ZRecent changes to 57: out of bounds heap read in dirac::VHFilter::Interleaveout of bounds heap read in dirac::VHFilter::Interleave2017-07-01T21:28:47.762000Z2017-07-01T21:28:47.762000ZHanno Böckhttps://sourceforge.net/u/ctulhu/https://sourceforge.net97ce4d6a4ef752404c3615a3d58fb6e909b12104<div class="markdown_content"><p>The attached file will cause an out of bounds read in the dirac decoder. This was found with american fuzzy lop.</p>
<p>Stack trace (from asan):</p>
<div class="codehilite"><pre>==10450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00000ca00 at pc 0x0000004c36dc bp 0x7ffd5cbcba60 sp 0x7ffd5cbcb210
READ of size 1408 at 0x62f00000ca00 thread T0
#0 0x4c36db in __asan_memcpy (/r/dirac/dirac_decoder+0x4c36db)
#1 0x5c4151 in dirac::VHFilter::Interleave(int, int, int, int, dirac::CoeffArray&) /f/dirac-1.0.2/libdirac_common/wavelet_utils.cpp:504:9
#2 0x5a8106 in dirac::VHFilterLEGALL5_3::Synth(int, int, int, int, dirac::CoeffArray&) /f/dirac-1.0.2/libdirac_common/wavelet_utils.cpp:899:5
#3 0x59cc61 in dirac::WaveletTransform::Transform(dirac::Direction, dirac::PicArray&, dirac::CoeffArray&) /f/dirac-1.0.2/libdirac_common/wavelet_utils.cpp:473:25
#4 0x568096 in dirac::PictureDecompressor::Decompress(dirac::ParseUnitByteIO&, dirac::PictureBuffer&) /f/dirac-1.0.2/libdirac_decoder/picture_decompress.cpp:172:24
#5 0x546ebd in dirac::SequenceDecompressor::DecompressNextPicture(dirac::ParseUnitByteIO*) /f/dirac-1.0.2/libdirac_decoder/seq_decompress.cpp:128:45
#6 0x5307e6 in dirac::DiracParser::Parse() /f/dirac-1.0.2/libdirac_decoder/dirac_cppparser.cpp:223:54
#7 0x515963 in dirac_parse /f/dirac-1.0.2/libdirac_decoder/dirac_parser.cpp:334:38
#8 0x513d17 in DecodeDirac(char const*, char const*) /f/dirac-1.0.2/decoder/decmain.cpp:145:17
#9 0x513d17 in main /f/dirac-1.0.2/decoder/decmain.cpp:303
#10 0x7efd923571d0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r2/work/glibc-2.24/csu/../csu/libc-start.c:289
#11 0x41ce29 in _start (/r/dirac/dirac_decoder+0x41ce29)
0x62f00000ca00 is located 0 bytes to the right of 50688-byte region [0x62f000000400,0x62f00000ca00)
allocated by thread T0 here:
#0 0x50f3b0 in operator new[](unsigned long) (/r/dirac/dirac_decoder+0x50f3b0)
#1 0x559cd3 in dirac::TwoDArray<int>::Init(int, int) /f/dirac-1.0.2/libdirac_common/../libdirac_common/arrays.h:520:38
</pre></div>
</div>