heap-based buffer overflow in ulaw2linear_buf

[insuyun]

https://github.com/jakkdu/poc/blob/master/000008-audiofile-heapovfl-ulaw2linear_buf

./sfconvert $FILE out.mp3 format aiff
=================================================================
==46598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ec31 at pc 0x00000040fe03 bp 0x7ffdd71ea8d0 sp 0x7ffdd71ea8c0
READ of size 1 at 0x60200000ec31 thread T0
    #0 0x40fe02 in ulaw2linear_buf /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/G711.cpp:42
    #1 0x40fe02 in G711::runPull() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/G711.cpp:207
    #2 0x4074ef in afReadFrames /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/data.cpp:222
    #3 0x402287 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:370
    #4 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
    #5 0x7f7f2d27282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x401f48 in _start (/home/insu/projects/qsym-eval/apps/audiofile/out/build-asan/sfconvert+0x401f48)

0x60200000ec31 is located 0 bytes to the right of 1-byte region [0x60200000ec30,0x60200000ec31)
allocated by thread T0 here:
    #0 0x7f7f2dd40532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x419243 in Chunk::allocate(unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/Module.h:59
    #2 0x419243 in ModuleState::setup(_AFfilehandle*, Track*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/ModuleState.cpp:174
    #3 0x407f74 in afGetFrameCount /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/format.cpp:205
    #4 0x402252 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:359
    #5 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
    #6 0x7f7f2d27282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/G711.cpp:42 ulaw2linear_buf
Shadow bytes around the buggy address:
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d80: fa fa fa fa fa fa[01]fa fa fa 00 00 fa fa 00 fa
  0x0c047fff9d90: fa fa fd fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff9da0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff9db0: fa fa 01 fa fa fa 00 01 fa fa fd fa fa fa fd fa
  0x0c047fff9dc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9dd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==46598==ABORTING

[insuyun]

Looks like same one, but different call stack.
https://github.com/jakkdu/poc/blob/master/000009-audiofile-heapovfl-SwapModule_runSwap

=================================================================
==47364==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x00000041ccea bp 0x7ffce60361d0 sp 0x7ffce60361c0
READ of size 4 at 0x62100001c900 thread T0
    #0 0x41cce9 in void SwapModule::runSwap<4, int>(int const*, int*, int) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/SimpleModule.h:82
    #1 0x41cce9 in void SwapModule::run<4, int>(Chunk&, Chunk&) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/SimpleModule.h:74
    #2 0x41cce9 in SwapModule::run(Chunk&, Chunk&) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/SimpleModule.h:61
    #3 0x420a1a in SimpleModule::runPull() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/SimpleModule.cpp:29
    #4 0x4074ef in afReadFrames /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/data.cpp:222
    #5 0x402287 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:370
    #6 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
    #7 0x7f7b95ea882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x401f48 in _start (/home/insu/projects/qsym-eval/apps/audiofile/out/build-asan/sfconvert+0x401f48)

0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
allocated by thread T0 here:
    #0 0x7f7b96976532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x419243 in Chunk::allocate(unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/Module.h:59
    #2 0x419243 in ModuleState::setup(_AFfilehandle*, Track*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/ModuleState.cpp:174
    #3 0x407f74 in afGetFrameCount /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/format.cpp:205
    #4 0x402252 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:359
    #5 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
    #6 0x7f7b95ea882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/SimpleModule.h:82 void SwapModule::runSwap<4, int>(int const*, int*, int)
Shadow bytes around the buggy address:
  0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==47364==ABORTING