SEGV (ASAN: heap-buffer-overflow) on load_image_with_stb

[strongcourage]

Hi,

Our fuzzer found a crash due to a heap buffer overflow on the function load_image_with_stb on the latest commit 5ff4d86 on master.

PoC_hbo_load_image_with_stb: https://github.com/strongcourage/PoCs/blob/master/astc-encoder_5ff4d86/PoC_hbo_load_image_with_stb

ASAN says:

astcenc -c $PoC /dev/null 6x6 -medium
Encoding settings:

2D Block size: 6x6 (3.56 bpp)
3D Block size: 6x6x1 (3.56 bpp)
Radius for mean-and-stdev calculations: 0 texels
RGB power: 1
RGB base-weight: 1
RGB local-mean weight: 0
RGB local-stdev weight: 0
RGB mean-and-stdev mixing across color channels: 0
Alpha power: 1
Alpha base-weight: 1
Alpha local-mean weight: 0
Alpha local-stdev weight: 0
RGB weights scale with alpha: disabled
Color channel relative weighting: R=1 G=1 B=1 A=1
Block-artifact suppression parameter : 0
Number of distinct partitionings to test: 25 (preset)
PSNR decibel limit: 2D: 40.529411 3D: 40.529411 (preset)
1->2 partition limit: 1.200000
Dual-plane color-correlation cutoff: 0.750000 (preset)
Block Mode Percentile Cutoff: 75.000000 (preset)
Max refinement iterations: 2 (preset)
Thread count : 8 (autodetected)

=================================================================
==7392==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0083af2628 at pc 0x000000487b80 bp 0x7ffccd4bc4f0 sp 0x7ffccd4bc4e0
WRITE of size 1 at 0x7f0083af2628 thread T0
    #0 0x487b7f in load_image_with_stb(char const*, int, int*) /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_stb_tga.cpp:82
    #1 0x46bff0 in astc_codec_load_image(char const*, int, int*) /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_image_load_store.cpp:1328
    #2 0x49a3dd in astc_main(int, char**) /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_toplevel.cpp:2329
    #3 0x7f00870ec82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x402738 in _start (/home/dungnguyen/PoCs/astc-encoder_5ff4d86/astcenc-asan+0x402738)

0x7f0083af2628 is located 0 bytes to the right of 11578920-byte region [0x7f0082fe7800,0x7f0083af2628)
allocated by thread T0 here:
    #0 0x7f0087a556b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x462b41 in allocate_image(int, int, int, int, int) /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_image_load_store.cpp:63

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/dungnguyen/gueb-testing/astc-encoder/Source/astc_stb_tga.cpp:82 load_image_with_stb(char const*, int, int*)
Shadow bytes around the buggy address:
  0x0fe090756470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe090756480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe090756490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0907564a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe0907564b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe0907564c0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0fe0907564d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0907564e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe0907564f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe090756500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe090756510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==7392==ABORTING

Thanks,
Manh Dung

[solidpixel]

Confirmed as resolved by #48, once that is merged.