【fuzz】read-heap-buffer-overflow in ZopfliWarmupHash()

【环境信息】
系统：x86
【测试版本】
openEuler-20.03-LTS-SP1
【注意】
受影响版本排查（受影响/不受影响）：
1、master
2、openEuler-LTS-20.03
3、openEuler-LTS-20.03-SP1
4、openEuler-LTS-20.03-Next
5、openEuler-20.09
【测试步骤】
1、编译
python infra/helper.py build_fuzzers --sanitizer=address zopfli
2、执行
python infra/helper.py run_fuzzer zopfli zopfli_compress_fuzzer -rss_limit_mb=0
【报错信息】
```
==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000003d1 at pc 0x000000566c88 bp 0x7ffe8d706f40 sp 0x7ffe8d706f38
READ of size 1 at 0x6020000003d1 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x566c87 in ZopfliWarmupHash /src/zopfli/src/zopfli/hash.c:134:22
    #1 0x55e3be in ZopfliLZ77Greedy /src/zopfli/src/zopfli/lz77.c:391:3
    #2 0x564c7b in ZopfliBlockSplit /src/zopfli/src/zopfli/blocksplitter.c:308:3
    #3 0x55578f in DeflateSplittingFirst /src/zopfli/src/zopfli/deflate.c:736:5
    #4 0x554e3d in ZopfliDeflatePart /src/zopfli/src/zopfli/deflate.c:836:7
    #5 0x555c50 in ZopfliDeflate /src/zopfli/src/zopfli/deflate.c:856:5
    #6 0x562964 in ZopfliZlibCompress /src/zopfli/src/zopfli/zlib_container.c:65:3
    #7 0x5538b6 in ZopfliCompress /src/zopfli/src/zopfli/zopfli_lib.c:34:5
    #8 0x55059f in LLVMFuzzerTestOneInput /src/zopfli_compress_fuzzer.cc:41:3
    #9 0x458791 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #10 0x457ed5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #11 0x459fa7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #12 0x45aa25 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #13 0x4499fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #14 0x4721d2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #15 0x7f65bbf4d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x41e108 in _start (/out/zopfli_compress_fuzzer+0x41e108)

0x6020000003d1 is located 0 bytes to the right of 1-byte region [0x6020000003d0,0x6020000003d1)
allocated by thread T0 here:
    #0 0x54da1d in operator new(unsigned long) /src/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99:3
    #1 0x551f90 in std::__1::__libcpp_allocate(unsigned long, unsigned long) /usr/local/bin/../include/c++/v1/new:253:10
    #2 0x551f68 in std::__1::allocator<unsigned char>::allocate(unsigned long) /usr/local/bin/../include/c++/v1/memory:1908:34
    #3 0x551ce0 in std::__1::allocator_traits<std::__1::allocator<unsigned char> >::allocate(std::__1::allocator<unsigned char>&, unsigned long) /usr/local/bin/../include/c++/v1/memory:1599:21
    #4 0x5515dc in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::__vallocate(unsigned long) /usr/local/bin/../include/c++/v1/vector:996:37
    #5 0x551126 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::vector(unsigned long) /usr/local/bin/../include/c++/v1/vector:1127:9
    #6 0x550ed9 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > FuzzedDataProvider::ConsumeBytes<unsigned char>(unsigned long, unsigned long) /usr/local/lib/clang/11.0.0/include/fuzzer/FuzzedDataProvider.h:351:18
    #7 0x550e07 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > FuzzedDataProvider::ConsumeBytes<unsigned char>(unsigned long) /usr/local/lib/clang/11.0.0/include/fuzzer/FuzzedDataProvider.h:106:10
    #8 0x550970 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > FuzzedDataProvider::ConsumeRemainingBytes<unsigned char>() /usr/local/lib/clang/11.0.0/include/fuzzer/FuzzedDataProvider.h:125:10
    #9 0x55056d in LLVMFuzzerTestOneInput /src/zopfli_compress_fuzzer.cc:39:14
    #10 0x458791 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:556:15
    #11 0x457ed5 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:470:3
    #12 0x459fa7 in fuzzer::Fuzzer::MutateAndTestOne() /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:698:19
    #13 0x45aa25 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:832:5
    #14 0x4499fe in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:826:6
    #15 0x4721d2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:19:10
    #16 0x7f65bbf4d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /src/zopfli/src/zopfli/hash.c:134:22 in ZopfliWarmupHash
Shadow bytes around the buggy address:
  0x0c047fff8020: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8030: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8040: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c047fff8050: fa fa 00 fa fa fa 01 fa fa fa 00 00 fa fa 00 00
  0x0c047fff8060: fa fa 00 fa fa fa fd fd fa fa fd fa fa fa fd fa
=>0x0c047fff8070: fa fa 04 fa fa fa 02 fa fa fa[01]fa fa fa fd fa
  0x0c047fff8080: fa fa 02 fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==13==ABORTING
MS: 1 CrossOver-; base unit: adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
0xa,0xa,
\x0a\x0a
artifact_prefix='./'; Test unit written to ./crash-71853c6197a6a7f222db0f1978c7cb232b87c5ee
```

fix:https://github.com/google/zopfli/commit/9429e20de3885c0e0d9beac23f703fce58461021

src-openEuler/zopfli

内容风险标识

评论 (2)

src-openEuler/zopfli .gitee-modal { width: 500px !important; }

内容风险标识