Heap-buffer-overflow in decompress_frame_fuzzer (oss-fuzz build)

[cla7aye15I4nd]

Description

A heap-buffer-overflow was detected in decompress_frame_fuzzer built by OSS-Fuzz on commit 9a573833fe58aa422f6bb27455d6812b5fb6ae21. The issue occurred in zlib_wrap_decompress, leading to an overflow in inflate due to a read beyond the allocated buffer.

Details

AddressSanitizer Report

==1125==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5140000003d3 at pc 0x563f8baa4dcc bp 0x7ffe96104b70 sp 0x7ffe96104b68
READ of size 1 at 0x5140000003d3 thread T0
    #0 0x563f8baa4dcb in inflate /src/c-blosc2/internal-complibs/zlib-ng-2.0.7/inflate.c:415:13
    #1 0x563f8b78367e in uncompress2 /src/c-blosc2/internal-complibs/zlib-ng-2.0.7/uncompr.c:67:15
    #2 0x563f8b7838bb in uncompress /src/c-blosc2/internal-complibs/zlib-ng-2.0.7/uncompr.c:84:12
    #3 0x563f8b61676c in zlib_wrap_decompress /src/c-blosc2/blosc/blosc2.c:482:12
    #4 0x563f8b61676c in blosc_d /src/c-blosc2/blosc/blosc2.c:1829:18
    #5 0x563f8b620eba in serial_blosc /src/c-blosc2/blosc/blosc2.c:1969:16
    #6 0x563f8b620eba in do_job /src/c-blosc2/blosc/blosc2.c:2136:15
    #7 0x563f8b610a5d in blosc2_decompress_ctx /src/c-blosc2/blosc/blosc2.c:2938:12
    #8 0x563f8b657f2d in frame_decompress_chunk /src/c-blosc2/blosc/frame.c:3748:24
    #9 0x563f8b632928 in blosc2_schunk_decompress_chunk /src/c-blosc2/blosc/schunk.c:1100:17
    #10 0x563f8b601054 in LLVMFuzzerTestOneInput /src/c-blosc2/tests/fuzz/fuzz_decompress_frame.c:34:15
    #11 0x563f8b4b5a90 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #12 0x563f8b4a0d05 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #13 0x563f8b4a679f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #14 0x563f8b4d1a42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #15 0x7f9bc1533082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #16 0x563f8b498eed in _start (/out/decompress_frame_fuzzer+0x165eed)

Memory Allocation Details

The overflow occurred immediately after a 403-byte region:

0x5140000003d3 is located 0 bytes after 403-byte region [0x514000000240,0x5140000003d3)
allocated by thread T0 here:
    #0 0x563f8b5c185f in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x563f8bb2c833 in operator new(unsigned long) cxa_noexception.cpp
    #2 0x563f8b4a0d05 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #3 0x563f8b4a679f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #4 0x563f8b4d1a42 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #5 0x7f9bc1533082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

Steps to Reproduce

1. Run decompress_frame_fuzzer built by OSS-Fuzz using the commit 9a573833fe58aa422f6bb27455d6812b5fb6ae21.
   crash-fb585a17f2283a44496fad286e0b95e4072d76fa.zip

2. The error occurs in zlib_wrap_decompress during the inflate function call in zlib-ng.

[FrancescAlted]

Thanks! Would you like to contribute a PR?