(CVE-2017-14633)an out-of-bound array read vul in function mapping0_forward() in libvorbis 1.3.5
╭─root@linux-jiangxin in /home/jiangxin/experiment/fuzz/AFL/target/libtheora-1.1.1/examples ╰$ gdb encoder_example GNU gdb (GDB) 7.9Copyright (C) 2015 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law. Type "show copying"and "show warranty" for details.This GDB was configured as "x86_64-unknown-linux-gnu".Type "show configuration" for configuration details.For bug reporting instructions, please see:<http://www.gnu.org/software/gdb/bugs/>.Find the GDB manual and other documentation resources online at:<http://www.gnu.org/software/gdb/documentation/>.For help, type "help".Type "apropos word" to search for commands related to "word"...Reading symbols from encoder_example...done.(gdb) run ../fuzz/crash-oob-read xxx.y4mProgram received signal SIGSEGV, Segmentation fault.0x00000000005754f9 in mapping0_forward (vb=<optimized out>) at mapping0.c:501500 if(ci->floor_type[info->floorsubmap[submap]]!=1)return(-1);(gdb) bt#0 0x00000000005754f9 in mapping0_forward (vb=<optimized out>) at mapping0.c:500#1 0x00000000004d3512 in vorbis_analysis (vb=vb@entry=0x7fffffffdbe0, op=op@entry=0x0) at analysis.c:47#2 0x0000000000410926 in fetch_and_process_audio (audio=0x83b010, audiopage=audiopage@entry=0x7fffffffda40, vo=vo@entry=0x7fffffffde40, vd=vd@entry=0x7fffffffdb50, vb=vb@entry=0x7fffffffdbe0, audioflag=audioflag@entry=0) at encoder_example.c:996#3 0x0000000000405a9b in main (argc=<optimized out>, argv=<optimized out>) at encoder_example.c:1754(gdb) i rrax 0x84b420 8696864rbx 0x1d3c1a0 30654880rcx 0x100 256rdx 0x1e332a0 31666848rsi 0x1e32e70 31665776rdi 0x85f000 8777728rbp 0x7fffffffc850 0x7fffffffc850rsp 0x7fffffff9ee0 0x7fffffff9ee0r8 0x1a9b500 27899136r9 0x8494f0 8688880r10 0x3e9b02c6 1050346182r11 0xfe 254r12 0x1a9b900 27900160r13 0x84e0e4 8708324r14 0x84cc00 8702976r15 0x1b93728 28915496rip 0x5754f9 0x5754f9 <mapping0_forward+5737>eflags 0x10246 [ PF ZF IF RF ]cs 0x33 51ss 0x2b 43ds 0x0 0es 0x0 0fs 0x0 0gs 0x0 0(gdb) x/i $pc=> 0x5754f9 <mapping0_forward+5737>: cmpl $0x1,0x528(%r9,%r10,4)(gdb) x/128xb $r9+$r10*4+0x5280xfaf0a530: Cannot access memory at address 0xfaf0a530