Stack buffer overflow found in common_kernels.c

[fCorleone]

==2602==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc4f3617c at pc 0x0000004b23dd bp 0x7ffdc4f35270 sp 0x7ffdc4f35260
READ of size 4 at 0x7ffdc4f3617c thread T0
#0 0x4b23dc in scale_frame_down2x2_simd_lbd common/common_kernels.c:1849
#1 0x4e57b7 in interpolate_frames_lbd common/temporal_interp.c:950
#2 0x4273b0 in decode_frame dec/decode_frame.c:110
#3 0x402934 in main dec/maindec.c:179
#4 0x7f16740a582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x406ce8 in _start (/home/mfc_fuzz/thor/build/Thordec+0x406ce8)

Address 0x7ffdc4f3617c is located in stack of thread T0 at offset 2492 in frame
#0 0x4020af in main dec/maindec.c:97

This frame has 9 object(s):
[32, 40) 'infile'
[96, 104) 'outfile'
[160, 172) 'tot_bits'
[224, 352) 'rec_available'
[384, 2472) 'stream' <== Memory access at offset 2492 overflows this variable
[2528, 5696) 'rec'
[5728, 8896) 'ref'
[8928, 33992) 'bit_count'
[34048, 63424) 'decoder_info'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow common/common_kernels.c:1849 scale_frame_down2x2_simd_lbd
Shadow bytes around the buggy address:
0x1000389debd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389debe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389debf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000389dec20: 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 f4[f4]
0x1000389dec30: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000389dec70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==2602==ABORTING
The input file has been put at :https://github.com/fCorleone/fuzz_programs/blob/master/thor/test2.bit
The command line is ./Thordec test2.bit out
the program was compiled by afl-gcc with ASAN mode.

[stemidts]

Thanks for the report. Can you specify the commit id you're using to decode?

[fCorleone]

I have checked the commit id, it's commit e42047d.It's strange that I cloned the code from the https://github.com/cisco/thor.git 12 days ago. Does it mean that I would get the latest version of the code? But when I check the commit id using command line:

git reflog

I got this :

e42047d HEAD@{0}: clone: from https://github.com/cisco/thor.git

[stemidts]

Duplicate of #36