Buffer Overflow in catimg

[viniul]

During my research, I have found a global-buffer-overflow in your program
"catimg". I've attached the crashing input. Find below the output of
AddressSanitizer:

=================================================================
==20758==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000048e740 at pc 0x0000004688ed bp 0x7ffd66701c30 sp 0x7ffd66701c20
READ of size 4 at 0x00000048e740 thread T0
#0 0x4688ec in stbi__extend_receive /home/vincent/tmp/catimg/src/stb_image.h:1667
#1 0x4688ec in stbi__jpeg_decode_block /home/vincent/tmp/catimg/src/stb_image.h:1722
#2 0x4688ec in stbi__parse_entropy_coded_data /home/vincent/tmp/catimg/src/stb_image.h:2487
#3 0x4688ec in stbi__decode_jpeg_image /home/vincent/tmp/catimg/src/stb_image.h:2822
#4 0x4688ec in load_jpeg_image /home/vincent/tmp/catimg/src/stb_image.h:3314
#5 0x4688ec in stbi__jpeg_load /home/vincent/tmp/catimg/src/stb_image.h:3407
#6 0x46be5b in stbi__load_main /home/vincent/tmp/catimg/src/stb_image.h:941
#7 0x48845e in stbi__xload_main /home/vincent/tmp/catimg/src/sh_image.c:72
#8 0x48845e in stbi_xload /home/vincent/tmp/catimg/src/sh_image.c:92
#9 0x48845e in img_load_from_file /home/vincent/tmp/catimg/src/sh_image.c:188
#10 0x404637 in main /home/vincent/tmp/catimg/src/catimg.c:115
#11 0x7f16dfeda82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#12 0x404988 in _start (/home/vincent/tmp/catimg/bin/catimg+0x404988)

0x00000048e740 is located 32 bytes to the left of global variable 'stbi__bmask' defined in '/home/vincent/tmp/catimg/src/stb_image.h:1598:21' (0x48e760) of size 68
0x00000048e740 is located 0 bytes to the right of global variable 'stbi__jbias' defined in '/home/vincent/tmp/catimg/src/stb_image.h:1651:18' (0x48e700) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow /home/vincent/tmp/catimg/src/stb_image.h:1667 stbi__extend_receive
Shadow bytes around the buggy address:
0x000080089c90: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x000080089ca0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080089cb0: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 00 00 00 00
0x000080089cc0: 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9
0x000080089cd0: 00 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9
=>0x000080089ce0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
0x000080089cf0: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080089d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080089d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080089d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080089d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==20758==ABORTING

[posva]

I appreciate the report but there's not much anyone can do without a proper repro 🙂
In any case, I welcome PRs to fix the problem if it exists

[viniul]

Here is a reproduction input: . Keep in mind to compile your program with AddressSanitizer.