Heap buffer overflow in libaudiofile/File.cpp:126

[xiaoxiaoafeifei]

one heap buffer overflow in FilePOSIX::read in File.cpp:126 in master branch.
poc1.zip

$uname -a
Linux 73a0f8d605fe 6.11.9-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.11.9-1 (2024-11-17) x86_64 x86_64 x86_64 GNU/Linux

$/usr/local/bin/sfconvert poc1 output format voc
asan:
==2213150==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000004ed0 at pc 0x7f151e33d57f bp 0x7ffe2f71df60 sp 0x7ffe2f71d718
WRITE of size 32896 at 0x625000004ed0 thread T0
#0 0x7f151e33d57e in __interceptor_read ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1028
#1 0x7f151e142064 in FilePOSIX::read(void*, unsigned long) /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/File.cpp:126
#2 0x7f151e220473 in FileModule::read(void*, unsigned long) /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/modules/FileModule.cpp:42
#3 0x7f151e21bd65 in BlockCodec::runPull() /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/modules/BlockCodec.cpp:49
#4 0x7f151e23075f in Module::pull(unsigned long) /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/modules/Module.cpp:71
#5 0x7f151e27fe5e in RebufferModule::runPull() /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/modules/RebufferModule.cpp:122
#6 0x7f151e1e76df in afReadFrames /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/data.cpp:222
#7 0x55b8b4816af4 in copyaudiodata /root/fuzz/fuzz_audiofile/audiofile/sfcommands/sfconvert.c:340
#8 0x55b8b48163de in main /root/fuzz/fuzz_audiofile/audiofile/sfcommands/sfconvert.c:248
#9 0x7f151dee7d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
#10 0x7f151dee7e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
#11 0x55b8b4812784 in _start (/usr/local/bin/sfconvert+0x3784)

0x625000004ed0 is located 0 bytes to the right of 9680-byte region [0x625000002900,0x625000004ed0)
allocated by thread T0 here:
#0 0x7f151e3b41e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
#1 0x7f151e1e846b in Chunk::allocate(unsigned long) /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/modules/Module.h:59
#2 0x7f151e234a4a in ModuleState::setup(_AFfilehandle*, Track*) /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/modules/ModuleState.cpp:174
#3 0x7f151e1f699b in afGetFrameCount /root/fuzz/fuzz_audiofile/audiofile/libaudiofile/format.cpp:205
#4 0x55b8b48169f8 in copyaudiodata /root/fuzz/fuzz_audiofile/audiofile/sfcommands/sfconvert.c:329
#5 0x55b8b48163de in main /root/fuzz/fuzz_audiofile/audiofile/sfcommands/sfconvert.c:248
#6 0x7f151dee7d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1028 in __interceptor_read
Shadow bytes around the buggy address:
0x0c4a7fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff89c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff89d0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
0x0c4a7fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2213150==ABORTING