stbi__pnm_load heap-buffer-overflow bug

[bufanremi]

i find a heap-buffer-overflow(oob read)
poc.zip
in stbi__pnm_load, if req_comp && req_comp != s->img_n, the will call stbi__convert_format, But it does not multiply ri->bits_per_channel / 8, 0 ，if ri.bits_per_channel != 8, will call stbi__convert_16_to_8, and make oob read
./test poc
`=================================================================
==15240==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100000249c at pc 0x5647f49c70ae bp 0x7ffdee668420 sp 0x7ffdee668410
READ of size 2 at 0x62100000249c thread T0
#0 0x5647f49c70ad in stbi__convert_16_to_8(unsigned short*, int, int, int) (/home/test/stb/poc/test+0x170ad)
#1 0x5647f49c7819 in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) (/home/test/stb/poc/test+0x17819)
#2 0x5647f49c8107 in stbi_load_from_file (/home/test/stb/poc/test+0x18107)
#3 0x5647f49c7ffc in stbi_load (/home/test/stb/poc/test+0x17ffc)
#4 0x5647f4a014df in main (/home/test/stb/poc/test+0x514df)
#5 0x7f521b45abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#6 0x5647f49b6269 in _start (/home/test/stb/poc/test+0x6269)

0x62100000249c is located 0 bytes to the right of 3996-byte region [0x621000001500,0x62100000249c)
allocated by thread T0 here:
#0 0x7f521c02fb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
#1 0x5647f49c68d2 in stbi__malloc(unsigned long) (/home/test/stb/poc/test+0x168d2)
#2 0x5647f49c6b1f in stbi__malloc_mad3(int, int, int, int) (/home/test/stb/poc/test+0x16b1f)
#3 0x5647f49ca7f0 in stbi__convert_format(unsigned char*, int, int, unsigned int, unsigned int) (/home/test/stb/poc/test+0x1a7f0)
#4 0x5647f4a00005 in stbi__pnm_load(stbi__context*, int*, int*, int*, int, stbi__result_info*) (/home/test/stb/poc/test+0x50005)
#5 0x5647f49c6e91 in stbi__load_main(stbi__context*, int*, int*, int*, int, stbi__result_info*, int) (/home/test/stb/poc/test+0x16e91)
#6 0x5647f49c7663 in stbi__load_and_postprocess_8bit(stbi__context*, int*, int*, int*, int) (/home/test/stb/poc/test+0x17663)
#7 0x5647f49c8107 in stbi_load_from_file (/home/test/stb/poc/test+0x18107)
#8 0x5647f49c7ffc in stbi_load (/home/test/stb/poc/test+0x17ffc)
#9 0x5647f4a014df in main (/home/test/stb/poc/test+0x514df)
#10 0x7f521b45abf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test/stb/poc/test+0x170ad) in stbi__convert_16_to_8(unsigned short*, int, int, int)
Shadow bytes around the buggy address:
0x0c427fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8490: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff84e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15240==ABORTING
`

[NBickford-NV]

This has been assigned CVE number CVE-2021-42716, which links back to this issue and issue #1225. Thanks!

[rygorous]

Fixed by Neil's patch, now merged into dev branch. Will be in the next release.

[rygorous]

Fixed in 2.28.