Multiple integer misbehaviours (excessive shift, signed integer overflow) in readBits/readSBits of util/read.c

[glen-mac]

Hey there, I have come across some integer behaviour runtime issues in the commit 50e2bf7.

The shift operations left-shift an integer outside the number of bits supported by the data type, and is an undefined behavior in C according to ISO C99.
The unsigned integer overflow could cause undefined behaviour in the runtime of the software.

To replicate, I compiled the git repo with:
CC=clang CXX=clang++ CFLAGS='-fsanitize=address,undefined -g -O2 -fPIC -DSWF_LITTLE_ENDIAN' CXXFLAGS=$CFLAGS ./configure; make

The issues reported by UBSan are as follows:

- read.c:71:11: runtime error: left shift of 310079501 by 8 places cannot be represented in type 'int'
- read.c:90:11: runtime error: left shift of 2032175751 by 5 places cannot be represented in type 'int'
- read.c:111:20: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
- read.c:111:16: runtime error: signed integer overflow: 1293434706 - -2147483648 cannot be represented in type 'int'

I have attached the output of UBSan and the POC file that triggers all 4 of the above bugs.

output.txt
crash_case.zip