stack-buffer-overflow

[eeeeYxN]

/my/imageworsener# ./imagew -w x1.5 crash_out/stack_buffer_overflow.bmp out.bmp
crash_out/stack_buffer_overflow.bmp → out.bmp

=================================================================
==15002==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd626acb5f at pc 0x00000049d2dc bp 0x7ffd626ac990 sp 0x7ffd626ac140
WRITE of size 256 at 0x7ffd626acb5f thread T0
#0 0x49d2db (/my/imageworsener/imagew+0x49d2db)
#1 0x53582f (/my/imageworsener/imagew+0x53582f)
#2 0x5b1db8 (/my/imageworsener/imagew+0x5b1db8)
#3 0x52021e (/my/imageworsener/imagew+0x52021e)
#4 0x7f1f89c1fb96 (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#5 0x41b8b9 (/my/imageworsener/imagew+0x41b8b9)

Address 0x7ffd626acb5f is located in stack of thread T0 at offset 383 in frame
#0 0x5a9b1f (/my/imageworsener/imagew+0x5a9b1f)

This frame has 20 object(s):
[32, 40) 'bytesread.i301.i.i.i' (line 69)
[64, 72) 'bytesread.i293.i.i.i' (line 69)
[96, 104) 'bytesread.i.i.i.i' (line 69)
[128, 383) 'buf.i.i.i' (line 711)
[448, 456) 'bytesread.i.i49.i' (line 69) <== Memory access at offset 383 partially underflows this variable
[480, 488) 'bytesread.i.i.i71' (line 69) <== Memory access at offset 383 partially underflows this variable
[512, 520) 'bytesread.i.i.i' (line 69) <== Memory access at offset 383 partially underflows this variable
[544, 1568) 'buf.i.i' (line 81) <== Memory access at offset 383 partially underflows this variable
[1696, 1704) 'bytesread.i.i49' (line 69)
[1728, 2752) 'buf.i50' (line 513)
[2880, 2888) 'bytesread.i.i38' (line 69)
[2912, 2924) 'buf.i39' (line 468)
[2944, 2952) 'bytesread.i93.i' (line 69)
[2976, 2984) 'bytesread.i.i26' (line 69)
[3008, 3132) 'buf.i27' (line 366)
[3168, 3176) 'bytesread.i63.i' (line 69)
[3200, 3208) 'bytesread.i.i' (line 69)
[3232, 3246) 'buf.i' (line 99)
[3264, 4488) 'rctx' (line 955)
[4624, 4784) 'img' (line 956)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/my/imageworsener/imagew+0x49d2db)
Shadow bytes around the buggy address:
0x10002c4cd910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c4cd920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002c4cd930: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10002c4cd940: 00 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 00 00 00 00
0x10002c4cd950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10002c4cd960: 00 00 00 00 00 00 00 00 00 00 00[07]f2 f2 f2 f2
0x10002c4cd970: f2 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
0x10002c4cd980: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10002c4cd990: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10002c4cd9a0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10002c4cd9b0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15002==ABORTING
stack_buffer_overflow.zip

[jsummers]

Should be fixed by 9df77f9

[fgeek]

CVE-2018-16782 has been assigned for this issue.