Attached is a zip with the file needed to reproduce this.
=================================================================
==44434==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x73a3139ff800 at pc 0x5d6de0a14ac3 bp 0x7ffe52fcbcf0 sp 0x7ffe52fcbce8
WRITE of size 1 at 0x73a3139ff800 thread T0
#0 0x5d6de0a14ac2 in read_bitstream <removed>/app/oapv_app_dec.c:198:35
#1 0x5d6de0a11ba1 in main <removed>/app/oapv_app_dec.c:502:21
#2 0x73a31617d249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0x73a31617d304 in __libc_start_main csu/../csu/libc-start.c:360:3
#4 0x5d6de0950420 in _start (<removed>/build/bin/oapv_app_dec+0x51420) (BuildId: 56db50aa25683e3033552d96267c16b1450aad86)
0x73a3139ff800 is located 0 bytes to the right of 134217728-byte region [0x73a30b9ff800,0x73a3139ff800)
allocated by thread T0 here:
#0 0x5d6de09d326e in __interceptor_malloc (<removed>/build/bin/oapv_app_dec+0xd426e) (BuildId: 56db50aa25683e3033552d96267c16b1450aad86)
#1 0x5d6de0a118c6 in main <removed>/app/oapv_app_dec.c:464:14
#2 0x73a31617d249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow <removed>/app/oapv_app_dec.c:198:35 in read_bitstream
Shadow bytes around the buggy address:
0x0e74e2737eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e74e2737ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e74e2737ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e74e2737ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0e74e2737ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0e74e2737f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0e74e2737f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0e74e2737f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0e74e2737f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0e74e2737f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0e74e2737f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==44434==ABORTING
./oapv_app_dec -i ./poc_au_size_overflow.apv -m 1 -v 0Attached is a zip with the file needed to reproduce this.
ASAN Trace
poc.zip