Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UBSAN: integer overflow #1292

Closed
pietroborrello opened this issue Feb 17, 2022 · 2 comments
Closed

UBSAN: integer overflow #1292

pietroborrello opened this issue Feb 17, 2022 · 2 comments
Labels
1 stb_image 2 bug w/ repro 5 merged-dev Merged into development branch

Comments

@pietroborrello
Copy link

pietroborrello commented Feb 17, 2022
edited
Loading

Describe the bug
UBSAN: runtime error: signed integer overflow: -126340289 * 17 cannot be represented in type 'int'
and
UBSAN: runtime error: signed integer overflow: -2147450975 + -32767 cannot be represented in type 'int'

To Reproduce
Built stb according to the oss-fuzz script with CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

UBSAN Output

$ ./stbi_read_fuzzer ./id:000130,sig:06,src:002266+002478,time:16238914,op:splice,rep:16,trial:1492432

INFO: Seed: 1429753284
INFO: Loaded 1 modules   (6883 inline 8-bit counters): 6883 [0x5e1b33, 0x5e3616), 
INFO: Loaded 1 PC tables (6883 PCs): 6883 [0x573228,0x58e058), 
../cve_exp/work_LIBFUZZER_HELPER_STB_STBI_READ_FUZZER/out/stbi_read_fuzzer: Running 1 inputs 1 time(s) each.
Running: id:000130,sig:06,src:002266+002478,time:16238914,op:splice,rep:16,trial:1492432
src/stb/tests/../stb_image.h:2251:29: runtime error: signed integer overflow: -1073741919 * 2 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/stb/tests/../stb_image.h:2251:29 in 
src/stb/tests/../stb_image.h:2249:35: runtime error: signed integer overflow: -2147450975 + -32767 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/stb/tests/../stb_image.h:2249:35 in 
Executed id:000130,sig:06,src:002266+002478,time:16238914,op:splice,rep:16,trial:1492432 in 76 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

Crashing files
ubsan-integer-overflow.zip
@NBickford-NV NBickford-NV mentioned this issue Feb 23, 2022
Merged
slouken pushed a commit to libsdl-org/SDL_image that referenced this issue May 28, 2022
@sezero @slouken
stb_image.h: imported three fuzz fixes by Neil Bickford from mainstream
04562ed 
Mainstream pull requests:
nothings/stb#1230
nothings/stb#1223
nothings/stb#1297

Related mainstream issue tickets:
nothings/stb#1224
nothings/stb#1225
nothings/stb#1289
nothings/stb#1291
nothings/stb#1292
nothings/stb#1293
@rygorous
Copy link
Collaborator

Tested and confirmed fixed by Neil's changes now in the dev branch. Will be fixed in the next release.

@rygorous rygorous added 2 bug w/ repro 5 merged-dev Merged into development branch labels Jan 22, 2023
@rygorous
Copy link
Collaborator

Fixed in 2.28.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1 stb_image 2 bug w/ repro 5 merged-dev Merged into development branch
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rygorous @nothings @pietroborrello