Segmentation fault (ASAN: heap-buffer-overflow) on cmft::imageLoadStb

[strongcourage]

Hi,

Our fuzzer found a crash due to a heap buffer overflow on the function cmft::imageLoadStb. I built cmft (the latest commit 06a3516 on master) using the configuration "release64" on Ubuntu 16.04 (64-bit).

PoC_hbo_imageLoadStb: https://github.com/strongcourage/PoCs/blob/master/cmft_06a3516/PoC_hbo_imageLoadStb

cmftRelease --input PoC_hbo_imageLoadStb --output0 /dev/null
CMFT WARNING: Non-supported Tga pixel depth - 16.
Segmentation fault

ASAN says:

cmftRelease-asan --input PoC_hbo_imageLoadStb --output0 /dev/null
CMFT WARNING: Non-supported Tga pixel depth - 16.
=================================================================
==23686==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f2300b067c0 at pc 0x00000046aa09 bp 0x7ffd0f70a460 sp 0x7ffd0f70a450
READ of size 1 at 0x7f2300b067c0 thread T0
    #0 0x46aa08 in stbi__tga_load ../../dependency/stb/stb_image.h:5250
    #1 0x46aa08 in stbi__load_main ../../dependency/stb/stb_image.h:972
    #2 0x46d0f9 in stbi__load_flip ../../dependency/stb/stb_image.h:980
    #3 0x46d0f9 in stbi_load_from_file ../../dependency/stb/stb_image.h:1056
    #4 0x46d0f9 in stbi_load ../../dependency/stb/stb_image.h:1046
    #5 0x434b59 in cmft::imageLoadStb(cmft::Image&, char const*, cmft::TextureFormat::Enum, cmft::AllocatorI*) ../../src/cmft/image.cpp:5081
    #6 0x475574 in cmftMain(int, char const* const*) ../../src/cmft_cli/cmft_cli.h:896
    #7 0x7f24122b182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x403608 in _start (/home/dungnguyen/PoCs/cmft_06a3516/cmftRelease-asan+0x403608)

0x7f2300b067c0 is located 64 bytes to the left of 4547643200-byte region [0x7f2300b06800,0x7f240fbfef40)
allocated by thread T0 here:
    #0 0x7f24135bd602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x468316 in stbi__malloc ../../dependency/stb/stb_image.h:900
    #2 0x468316 in stbi__tga_load ../../dependency/stb/stb_image.h:5146
    #3 0x468316 in stbi__load_main ../../dependency/stb/stb_image.h:972
    #4 0x7ffd0f70aa2f  (<unknown module>)
    #5 0x7ffd0f70a93f  (<unknown module>)
    #6 0x7ffd0f70aedf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../dependency/stb/stb_image.h:5250 stbi__tga_load
Shadow bytes around the buggy address:
  0x0fe4e0158ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4e0158cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4e0158cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4e0158cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe4e0158ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0fe4e0158cf0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0fe4e0158d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e0158d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e0158d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e0158d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe4e0158d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==23686==ABORTING

Thanks,
Manh Dung