Recent changes to 57: out of bounds heap read in dirac::VHFilter::Interleavehttps://sourceforge.net/p/dirac/bugs/57/Recent changes to 57: out of bounds heap read in dirac::VHFilter::InterleaveenSat, 01 Jul 2017 21:28:47 -0000out of bounds heap read in dirac::VHFilter::Interleavehttps://sourceforge.net/p/dirac/bugs/57/<div class="markdown_content"><p>The attached file will cause an out of bounds read in the dirac decoder. This was found with american fuzzy lop.</p> <p>Stack trace (from asan):</p> <div class="codehilite"><pre>==10450==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f00000ca00 at pc 0x0000004c36dc bp 0x7ffd5cbcba60 sp 0x7ffd5cbcb210 READ of size 1408 at 0x62f00000ca00 thread T0 #0 0x4c36db in __asan_memcpy (/r/dirac/dirac_decoder+0x4c36db) #1 0x5c4151 in dirac::VHFilter::Interleave(int, int, int, int, dirac::CoeffArray&amp;) /f/dirac-1.0.2/libdirac_common/wavelet_utils.cpp:504:9 #2 0x5a8106 in dirac::VHFilterLEGALL5_3::Synth(int, int, int, int, dirac::CoeffArray&amp;) /f/dirac-1.0.2/libdirac_common/wavelet_utils.cpp:899:5 #3 0x59cc61 in dirac::WaveletTransform::Transform(dirac::Direction, dirac::PicArray&amp;, dirac::CoeffArray&amp;) /f/dirac-1.0.2/libdirac_common/wavelet_utils.cpp:473:25 #4 0x568096 in dirac::PictureDecompressor::Decompress(dirac::ParseUnitByteIO&amp;, dirac::PictureBuffer&amp;) /f/dirac-1.0.2/libdirac_decoder/picture_decompress.cpp:172:24 #5 0x546ebd in dirac::SequenceDecompressor::DecompressNextPicture(dirac::ParseUnitByteIO*) /f/dirac-1.0.2/libdirac_decoder/seq_decompress.cpp:128:45 #6 0x5307e6 in dirac::DiracParser::Parse() /f/dirac-1.0.2/libdirac_decoder/dirac_cppparser.cpp:223:54 #7 0x515963 in dirac_parse /f/dirac-1.0.2/libdirac_decoder/dirac_parser.cpp:334:38 #8 0x513d17 in DecodeDirac(char const*, char const*) /f/dirac-1.0.2/decoder/decmain.cpp:145:17 #9 0x513d17 in main /f/dirac-1.0.2/decoder/decmain.cpp:303 #10 0x7efd923571d0 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.24-r2/work/glibc-2.24/csu/../csu/libc-start.c:289 #11 0x41ce29 in _start (/r/dirac/dirac_decoder+0x41ce29) 0x62f00000ca00 is located 0 bytes to the right of 50688-byte region [0x62f000000400,0x62f00000ca00) allocated by thread T0 here: #0 0x50f3b0 in operator new[](unsigned long) (/r/dirac/dirac_decoder+0x50f3b0) #1 0x559cd3 in dirac::TwoDArray&lt;int&gt;::Init(int, int) /f/dirac-1.0.2/libdirac_common/../libdirac_common/arrays.h:520:38 </pre></div> </div>Hanno BöckSat, 01 Jul 2017 21:28:47 -0000https://sourceforge.net97ce4d6a4ef752404c3615a3d58fb6e909b12104