[0.4.x] Plugin "gforce": heap-use-after-free in method PixPort::Fade

[hartwork]

I ran into this unfixed heap-use-after-free today:

[..]
Switching to actor 'gforce'...
=================================================================
==32059==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fc836f480ac at pc 0x7fc8457252c9 bp 0x7fff991274d0 sp 0x7fff991274c0
READ of size 1 at 0x7fc836f480ac thread T0
    #0 0x7fc8457252c8 in PixPort::Fade(char const*, char*, int, int, int, unsigned int*) [..]/libvisual-plugins/plugins/actor/G-Force/Common/UI/PixPort.cpp:933
    #1 0x7fc845705657 in PixPort::Fade(PixPort&, DeltaFieldData*) ../../../../plugins/actor/G-Force/Common/UI/Headers/PixPort.h:166
    #2 0x7fc845705657 in GForce::RecordSample(long) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:926
    #3 0x7fc8457065f9 in GForce::RecordSample(long, float*, float, long, float*, float, long) [..]/libvisual-plugins/plugins/actor/G-Force/GForceCommon/G-Force.cpp:891
    #4 0x7fc845735366 in lv_gforce_render [..]/libvisual-plugins/plugins/actor/G-Force/unix/libvisual/actor_gforce.cpp:264
    #5 0x7fc84929dce4 in visual_actor_run [..]/libvisual/libvisual/lv_actor.c:774
    #6 0x7fc8492a3af7 in visual_bin_run [..]/libvisual/libvisual/lv_bin.c:867
    #7 0x55ba5dffc6f3 in LV::Bin::run() [..]/libvisual/tools/lv-tool/lv-tool.cpp:111
    #8 0x55ba5dffc6f3 in main [..]/libvisual/tools/lv-tool/lv-tool.cpp:936
    #9 0x7fc848d7d209  (/lib64/libc.so.6+0x2a209)
    #10 0x7fc848d7d2bb in __libc_start_main (/lib64/libc.so.6+0x2a2bb)
    #11 0x55ba5dff9890 in _start ([..]/INSTALL_PREFIX/bin/lv-tool-0.4+0x5890)

0x7fc836f480ac is located 39084 bytes inside of 269280-byte region [0x7fc836f3e800,0x7fc836f803e0)
freed by thread T0 here:
    #0 0x7fc8493ff5df in __interceptor_free /var/tmp/portage/sys-devel/gcc-11.3.1_p20230120-r1/work/gcc-11-20230120/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x7fc8421ed3f3  (/usr/lib64/dri/crocus_dri.so+0x1213f3)

previously allocated by thread T0 here:
    #0 0x7fc84940060a in __interceptor_posix_memalign /var/tmp/portage/sys-devel/gcc-11.3.1_p20230120-r1/work/gcc-11-20230120/libsanitizer/asan/asan_malloc_linux.cpp:226
    #1 0x7fc8421ec448  (/usr/lib64/dri/crocus_dri.so+0x120448)

SUMMARY: AddressSanitizer: heap-use-after-free [..]/libvisual-plugins/plugins/actor/G-Force/Common/UI/PixPort.cpp:933 in PixPort::Fade(char const*, char*, int, int, int, unsigned int*)
Shadow bytes around the buggy address:
  0x0ff986de0fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de0fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de0fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de0ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de1000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff986de1010: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0ff986de1020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de1030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de1040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de1050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0ff986de1060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==32059==ABORTING

[kaixiong]

My guess is that Fade() is sampling outside of the inSrce buffer due to either some arithmetic error in the Fade() function, or the population of the grad array argument.

This is the critical path:

#define HALFCORD	0x007F  /* 16 bits per cord, 8 bits for fixed decimal, 8 bits for whole number */
...
// Setup the source row base address and offset to allow for negative grad components
srce = inSrce - HALFCORD * inBytesPerRow - HALFCORD;
...
// Format of each long:
// High byte: x (whole part), High-low byte: x (frac part)
// Low-high byte: y (whole part), Low byte: y (frac part)
u1 = *grad;
grad++;
...
srceMap = srce + ( u1 >> 14 );
v = ( u1 >> 7 ) & 0x7F;		// frac part of x
u = ( u1      ) & 0x7F;		// frac part of y
...
/* Bilinear interpolation to approximate the source pixel value... */
/* P1 - P2  */
/* |     |  */
/* P3 - P4  */
P1  = ( (unsigned char*) srceMap )[0];
P2  = ( (unsigned char*) srceMap )[1];
...
P3  = ( (unsigned char*) srceMap )[ inBytesPerRow ];
P4  = ( (unsigned char*) srceMap )[ inBytesPerRow + 1 ];

(0x7F is 1111111)

So, grad contains uint32_t values that each encode a 2D point or vector in fixed point. However, the code and comments disagree on how!

The code appears to indicate that the fractional parts of x and y are encoded in bits 7-13 and bits 0-6 respectively. On the other hand, the comment ("Format of each long ...") indicates that x and y are encoded in the high and low word respectively.