CPC ay parser out of bounds heap memory read

The file PMD_4.ay from the Project AY [1], downloadable in this archive [2], causes an invalid memory read in the function Ay_Apu::run_until(), detectable with address sanitizer. I'll attach the file.

[1] http://www.worldofspectrum.org/projectay/gdmusic.htm [2] http://projectay.dl.spilsby.net/Update-06March2008.zip

ASAN stack trace:

==7799==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000026484 at pc 0x7f3e0736831c bp 0x7ffce10085b0 sp 0x7ffce10085a8
READ of size 1 at 0x631000026484 thread T0
    #0 0x7f3e0736831b in Ay_Apu::run_until(int) /mnt/ram/game-music-emu/gme/Ay_Apu.cpp:214:13
    #1 0x7f3e073a240e in Ay_Apu::end_frame(int) /mnt/ram/game-music-emu/gme/Ay_Apu.h:100:3
    #2 0x7f3e073a240e in Ay_Emu::run_clocks(int&, int) /mnt/ram/game-music-emu/gme/Ay_Emu.cpp:402
    #3 0x7f3e0734112d in Classic_Emu::play_(long, short*) /mnt/ram/game-music-emu/gme/Classic_Emu.cpp:113:4
    #4 0x7f3e073618b2 in Music_Emu::emu_play(long, short*) /mnt/ram/game-music-emu/gme/Music_Emu.cpp:305:23
    #5 0x7f3e073618b2 in Music_Emu::fill_buf() /mnt/ram/game-music-emu/gme/Music_Emu.cpp:327
    #6 0x7f3e07361070 in Music_Emu::start_track(int) /mnt/ram/game-music-emu/gme/Music_Emu.cpp:150:4
    #7 0x5073d7 in main /mnt/ram/game-music-emu/demo/basics.c:26:16
    #8 0x7f3e0605f690 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x419e28 in _start (/mnt/ram/game-music-emu/b/demo/demo+0x419e28)

0x631000026484 is located 4364 bytes to the right of 68472-byte region [0x631000014800,0x631000025378)
allocated by thread T0 here:
    #0 0x4ca208 in __interceptor_malloc (/mnt/ram/game-music-emu/b/demo/demo+0x4ca208)
    #1 0x7f3e073a275f in Gme_File::operator new(unsigned long) /mnt/ram/game-music-emu/gme/Gme_File.h:107:2
    #2 0x7f3e073a275f in new_ay_emu() /mnt/ram/game-music-emu/gme/Ay_Emu.cpp:116

Comments (2)