Multiple bugs #245
Comments
|
All these cases now throw exceptions and clean up all allocated memory as intended. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
the PizCompressor class in IlmImf/ImfPizCompressor.cpp in openexr 2.2.0 can cause a denial of service(memory allocation error) via a crafted exr file.
./exrmakepreview openexr_2.2.0_memory_allocation_error_1.exr out
==45920== ERROR: AddressSanitizer failed to allocate 0x12b3fa000 (5020557312) bytes of LargeMmapAllocator: Cannot allocate memory
==45920== Process memory map follows:
0x000000400000-0x000000405000 /usr/local/bin/exrmakepreview
0x000000605000-0x000000606000 /usr/local/bin/exrmakepreview
0x000000606000-0x000000607000 /usr/local/bin/exrmakepreview
0x000000607000-0x000000647000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x600400000000
0x600400000000-0x600400010000
0x600400010000-0x600600000000
0x600600000000-0x600600010000
0x600600010000-0x600800000000
0x600800000000-0x600800010000
0x600800010000-0x600c00000000
0x600c00000000-0x600c00010000
0x600c00010000-0x600e00000000
0x600e00000000-0x600e00010000
0x600e00010000-0x601000000000
0x601000000000-0x601000010000
0x601000010000-0x602600000000
0x602600000000-0x602600020000
0x602600020000-0x602800000000
0x602800000000-0x602800020000
0x602800020000-0x602c00000000
0x602c00000000-0x602c00020000
0x602c00020000-0x603600000000
0x603600000000-0x603600020000
0x603600020000-0x604400000000
0x604400000000-0x604400020000
0x604400020000-0x605200000000
0x605200000000-0x605200020000
0x605200020000-0x607200000000
0x607200000000-0x607200020000
0x607200020000-0x610000000000
0x610000000000-0x610000005000
0x7fc07b4f6000-0x7fc084a79000
0x7fc084a79000-0x7fc084a94000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fc084a94000-0x7fc084c94000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fc084c94000-0x7fc084c98000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fc084c98000-0x7fc084c99000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fc084c99000-0x7fc084c9f000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fc084c9f000-0x7fc084e9e000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fc084e9e000-0x7fc084e9f000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fc084e9f000-0x7fc084ea0000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fc084ea0000-0x7fc084eb8000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fc084eb8000-0x7fc0850b7000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fc0850b7000-0x7fc0850b8000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fc0850b8000-0x7fc0850b9000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fc0850b9000-0x7fc0850bc000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fc0850bc000-0x7fc0852bb000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fc0852bb000-0x7fc0852bc000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fc0852bc000-0x7fc0852bd000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fc0852bd000-0x7fc0852d6000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fc0852d6000-0x7fc0854d5000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fc0854d5000-0x7fc0854d6000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fc0854d6000-0x7fc0854d7000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fc0854d7000-0x7fc0854db000
0x7fc0854db000-0x7fc085696000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fc085696000-0x7fc085895000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fc085895000-0x7fc085899000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fc085899000-0x7fc08589b000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fc08589b000-0x7fc0858a0000
0x7fc0858a0000-0x7fc0858b6000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fc0858b6000-0x7fc085ab5000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fc085ab5000-0x7fc085ab6000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fc085ab6000-0x7fc085bbb000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fc085bbb000-0x7fc085dba000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fc085dba000-0x7fc085dbb000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fc085dbb000-0x7fc085dbc000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fc085dbc000-0x7fc085ea2000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fc085ea2000-0x7fc0860a1000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fc0860a1000-0x7fc0860a9000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fc0860a9000-0x7fc0860ab000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fc0860ab000-0x7fc0860c0000
0x7fc0860c0000-0x7fc086102000 /usr/local/lib/libHalf.so.12.0.0
0x7fc086102000-0x7fc086301000 /usr/local/lib/libHalf.so.12.0.0
0x7fc086301000-0x7fc086302000 /usr/local/lib/libHalf.so.12.0.0
0x7fc086302000-0x7fc086303000 /usr/local/lib/libHalf.so.12.0.0
0x7fc086303000-0x7fc0866d2000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fc0866d2000-0x7fc0868d1000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fc0868d1000-0x7fc0868d6000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fc0868d6000-0x7fc086a2c000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fc086a2c000-0x7fc086a2f000
0x7fc086a2f000-0x7fc086a57000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fc086a57000-0x7fc086c57000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fc086c57000-0x7fc086c58000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fc086c58000-0x7fc086c59000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fc086c59000-0x7fc0899be000
0x7fc0899be000-0x7fc0899e1000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7fc089bad000-0x7fc089bc5000
0x7fc089bc7000-0x7fc089bd4000
0x7fc089bd6000-0x7fc089be0000
0x7fc089be0000-0x7fc089be1000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7fc089be1000-0x7fc089be2000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7fc089be2000-0x7fc089be3000
0x7fffae3bc000-0x7fffae3dd000 [stack]
0x7fffae3dd000-0x7fffae3df000 [vvar]
0x7fffae3df000-0x7fffae3e1000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==45920== End of process memory map.
==45920== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:70 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x7fc086a4131d (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1231d)
#1 0x7fc086a48133 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x19133)
#2 0x7fc086a4a6d3 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1b6d3)
#3 0x7fc086a38078 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x9078)
#4 0x7fc086a408b9 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x118b9)
#5 0x7fc08643682d in Imf_2_2::PizCompressor::PizCompressor(Imf_2_2::Header const&, unsigned long, unsigned long) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfPizCompressor.cpp:194
#6 0x7fc086434469 in Imf_2_2::newCompressor(Imf_2_2::Compression, unsigned long, Imf_2_2::Header const&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfCompressor.cpp:148
#7 0x7fc0864d4f84 in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:1120
#8 0x7fc0864d5ea2 in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:1190
#9 0x7fc08640a8d4 in Imf_2_2::InputFile::initialize() /home/a/Downloads/openexr-2.2.0/IlmImf/ImfInputFile.cpp:555
#10 0x7fc086408108 in Imf_2_2::InputFile::InputFile(char const*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfInputFile.cpp:382
#11 0x7fc08642a5a7 in Imf_2_2::RgbaInputFile::RgbaInputFile(char const*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfRgbaFile.cpp:1166
#12 0x402698 in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_2::Array2D<Imf_2_2::PreviewRgba>&) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:105
#13 0x403041 in makePreview(char const*, char const*, int, float, bool) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:162
#14 0x40236a in main /home/a/Downloads/openexr-2.2.0/exrmakepreview/main.cpp:185
#15 0x7fc0854fcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#16 0x401da8 in _start (/usr/local/bin/exrmakepreview+0x401da8)
the bytesPerLineTable function in IlmImf/ImfMisc.cpp in openexr 2.2.0 can cause a denial of service(memory allocation error) via a crafted exr file.
./exrmakepreview openexr_2.2.0_memory_allocation_error_2.exr out
==51266== ERROR: AddressSanitizer failed to allocate 0x160003000 (5905592320) bytes of LargeMmapAllocator: Cannot allocate memory
==51266== Process memory map follows:
0x000000400000-0x000000405000 /usr/local/bin/exrmakepreview
0x000000605000-0x000000606000 /usr/local/bin/exrmakepreview
0x000000606000-0x000000607000 /usr/local/bin/exrmakepreview
0x000000607000-0x000000647000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x600400000000
0x600400000000-0x600400010000
0x600400010000-0x600600000000
0x600600000000-0x600600010000
0x600600010000-0x600800000000
0x600800000000-0x600800010000
0x600800010000-0x600c00000000
0x600c00000000-0x600c00010000
0x600c00010000-0x600e00000000
0x600e00000000-0x600e00010000
0x600e00010000-0x601000000000
0x601000000000-0x601000010000
0x601000010000-0x602600000000
0x602600000000-0x602600020000
0x602600020000-0x602800000000
0x602800000000-0x602800020000
0x602800020000-0x602c00000000
0x602c00000000-0x602c00020000
0x602c00020000-0x603600000000
0x603600000000-0x603600020000
0x603600020000-0x604400000000
0x604400000000-0x604400020000
0x604400020000-0x605200000000
0x605200000000-0x605200020000
0x605200020000-0x607200000000
0x607200000000-0x607200020000
0x607200020000-0x610000000000
0x610000000000-0x610000005000
0x7feee69a9000-0x7feee69c4000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7feee69c4000-0x7feee6bc4000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7feee6bc4000-0x7feee6bc8000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7feee6bc8000-0x7feee6bc9000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7feee6bc9000-0x7feee6bcf000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7feee6bcf000-0x7feee6dce000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7feee6dce000-0x7feee6dcf000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7feee6dcf000-0x7feee6dd0000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7feee6dd0000-0x7feee6de8000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7feee6de8000-0x7feee6fe7000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7feee6fe7000-0x7feee6fe8000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7feee6fe8000-0x7feee6fe9000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7feee6fe9000-0x7feee6fec000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7feee6fec000-0x7feee71eb000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7feee71eb000-0x7feee71ec000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7feee71ec000-0x7feee71ed000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7feee71ed000-0x7feee7206000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7feee7206000-0x7feee7405000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7feee7405000-0x7feee7406000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7feee7406000-0x7feee7407000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7feee7407000-0x7feee740b000
0x7feee740b000-0x7feee75c6000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7feee75c6000-0x7feee77c5000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7feee77c5000-0x7feee77c9000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7feee77c9000-0x7feee77cb000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7feee77cb000-0x7feee77d0000
0x7feee77d0000-0x7feee77e6000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7feee77e6000-0x7feee79e5000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7feee79e5000-0x7feee79e6000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7feee79e6000-0x7feee7aeb000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7feee7aeb000-0x7feee7cea000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7feee7cea000-0x7feee7ceb000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7feee7ceb000-0x7feee7cec000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7feee7cec000-0x7feee7dd2000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7feee7dd2000-0x7feee7fd1000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7feee7fd1000-0x7feee7fd9000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7feee7fd9000-0x7feee7fdb000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7feee7fdb000-0x7feee7ff0000
0x7feee7ff0000-0x7feee8032000 /usr/local/lib/libHalf.so.12.0.0
0x7feee8032000-0x7feee8231000 /usr/local/lib/libHalf.so.12.0.0
0x7feee8231000-0x7feee8232000 /usr/local/lib/libHalf.so.12.0.0
0x7feee8232000-0x7feee8233000 /usr/local/lib/libHalf.so.12.0.0
0x7feee8233000-0x7feee8602000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7feee8602000-0x7feee8801000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7feee8801000-0x7feee8806000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7feee8806000-0x7feee895c000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7feee895c000-0x7feee895f000
0x7feee895f000-0x7feee8987000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7feee8987000-0x7feee8b87000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7feee8b87000-0x7feee8b88000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7feee8b88000-0x7feee8b89000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7feee8b89000-0x7feeeb8ee000
0x7feeeb8ee000-0x7feeeb911000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7feeebadd000-0x7feeebaf5000
0x7feeebaf7000-0x7feeebb04000
0x7feeebb06000-0x7feeebb10000
0x7feeebb10000-0x7feeebb11000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7feeebb11000-0x7feeebb12000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7feeebb12000-0x7feeebb13000
0x7fff11d65000-0x7fff11d86000 [stack]
0x7fff11db8000-0x7fff11dba000 [vvar]
0x7fff11dba000-0x7fff11dbc000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==51266== End of process memory map.
==51266== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:70 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x7feee897131d (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1231d)
#1 0x7feee8978133 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x19133)
#2 0x7feee897a6d3 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1b6d3)
#3 0x7feee8968078 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x9078)
#4 0x7feee8970849 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x11849)
#5 0x7feee8352330 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/include/c++/4.8/ext/new_allocator.h:104
#6 0x7feee83520c2 in std::_Vector_base<unsigned long, std::allocator >::_M_allocate(unsigned long) /usr/include/c++/4.8/bits/stl_vector.h:168
#7 0x7feee8351956 in std::vector<unsigned long, std::allocator >::_M_fill_insert(__gnu_cxx::__normal_iterator<unsigned long*, std::vector<unsigned long, std::allocator > >, unsigned long, unsigned long const&) (/usr/local/lib/libIlmImf-2_2.so.22+0x11e956)
#8 0x7feee8351071 in std::vector<unsigned long, std::allocator >::insert(__gnu_cxx::__normal_iterator<unsigned long*, std::vector<unsigned long, std::allocator > >, unsigned long, unsigned long const&) /usr/include/c++/4.8/bits/stl_vector.h:1024
#9 0x7feee8350e22 in std::vector<unsigned long, std::allocator >::resize(unsigned long, unsigned long) /usr/include/c++/4.8/bits/stl_vector.h:707
#10 0x7feee83e6054 in Imf_2_2::bytesPerLineTable(Imf_2_2::Header const&, std::vector<unsigned long, std::allocator >&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfMisc.cpp:111
#11 0x7feee8404ee1 in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:1113
#12 0x7feee8405ea2 in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:1190
#13 0x7feee833a8d4 in Imf_2_2::InputFile::initialize() /home/a/Downloads/openexr-2.2.0/IlmImf/ImfInputFile.cpp:555
#14 0x7feee8338108 in Imf_2_2::InputFile::InputFile(char const*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfInputFile.cpp:382
#15 0x7feee835a5a7 in Imf_2_2::RgbaInputFile::RgbaInputFile(char const*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfRgbaFile.cpp:1166
#16 0x402698 in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_2::Array2D<Imf_2_2::PreviewRgba>&) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:105
#17 0x403041 in makePreview(char const*, char const*, int, float, bool) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:162
#18 0x40236a in main /home/a/Downloads/openexr-2.2.0/exrmakepreview/main.cpp:185
#19 0x7feee742cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#20 0x401da8 in _start (/usr/local/bin/exrmakepreview+0x401da8)
the hufDecode function in IlmImf/ImfHuf.cpp:928 in openexr 2.2.0 can cause a denial of service(heap buffer overflow) via a crafted exr file.
./exrmakepreview openexr_2.2.0_heap_buffer_overflow.exr out
=================================================================
==51463== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60a4000007fe at pc 0x7fc488f4fe05 bp 0x7ffefb6e06f0 sp 0x7ffefb6e06e8
READ of size 2 at 0x60a4000007fe thread T0
#0 0x7fc488f4fe04 in Imf_2_2::(anonymous namespace)::hufDecode(unsigned long const*, Imf_2_2::(anonymous namespace)::HufDec const*, char const*, int, int, int, unsigned short*) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfHuf.cpp:928
#1 0x7fc488f50d2b in Imf_2_2::hufUncompress(char const*, int, unsigned short*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfHuf.cpp:1101
#2 0x7fc488f591d3 in Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2 >, char const*&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfPizCompressor.cpp:576
#3 0x7fc488f57243 in Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfPizCompressor.cpp:288
#4 0x7fc488ff374b in Imf_2_2::(anonymous namespace)::LineBufferTaskIIF::execute() /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:858
#5 0x7fc4877bc758 in IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) /home/a/Downloads/ilmbase-2.2.0/IlmThread/IlmThreadPool.cpp:433
#6 0x7fc488ff8774 in Imf_2_2::ScanLineInputFile::readPixels(int, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:1617
#7 0x7fc488f2d45a in Imf_2_2::InputFile::readPixels(int, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfInputFile.cpp:815
#8 0x7fc488f4b7ea in Imf_2_2::RgbaInputFile::readPixels(int, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfRgbaFile.cpp:1302
#9 0x40299b in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_2::Array2D<Imf_2_2::PreviewRgba>&) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:114
#10 0x403041 in makePreview(char const*, char const*, int, float, bool) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:162
#11 0x40236a in main /home/a/Downloads/openexr-2.2.0/exrmakepreview/main.cpp:185
#12 0x7fc48801cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x401da8 in _start (/usr/local/bin/exrmakepreview+0x401da8)
0x60a4000007fe is located 2 bytes to the left of 76800-byte region [0x60a400000800,0x60a400013400)
allocated by thread T0 here:
#0 0x7fc48956088a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1188a)
#1 0x7fc488f5682d in Imf_2_2::PizCompressor::PizCompressor(Imf_2_2::Header const&, unsigned long, unsigned long) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfPizCompressor.cpp:194
#2 0x7fc488f54469 in Imf_2_2::newCompressor(Imf_2_2::Compression, unsigned long, Imf_2_2::Header const&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfCompressor.cpp:148
#3 0x7fc488ff4f84 in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:1120
#4 0x7fc488ff5ea2 in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfScanLineInputFile.cpp:1190
#5 0x7fc488f2a8d4 in Imf_2_2::InputFile::initialize() /home/a/Downloads/openexr-2.2.0/IlmImf/ImfInputFile.cpp:555
#6 0x7fc488f28108 in Imf_2_2::InputFile::InputFile(char const*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfInputFile.cpp:382
#7 0x7fc488f4a5a7 in Imf_2_2::RgbaInputFile::RgbaInputFile(char const*, int) /home/a/Downloads/openexr-2.2.0/IlmImf/ImfRgbaFile.cpp:1166
#8 0x402698 in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_2::Array2D<Imf_2_2::PreviewRgba>&) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:105
#9 0x403041 in makePreview(char const*, char const*, int, float, bool) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:162
#10 0x40236a in main /home/a/Downloads/openexr-2.2.0/exrmakepreview/main.cpp:185
#11 0x7fc48801cec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/openexr-2.2.0/IlmImf/ImfHuf.cpp:928 Imf_2_2::(anonymous namespace)::hufDecode(unsigned long const*, Imf_2_2::(anonymous namespace)::HufDec const*, char const*, int, int, int, unsigned short*)
Shadow bytes around the buggy address:
0x0c14ffff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c14ffff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c14ffff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c14ffff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c14ffff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c14ffff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c14ffff8100:00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c14ffff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c14ffff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c14ffff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c14ffff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==51463== ABORTING
the Array2D class in IlmImf/ImfArray.h in openexr 2.2.0 can cause a denial of service(memory allocation error) via a crafted exr file.
./exrmakepreview openexr_2.2.0_memory_allocation_error_3.exr out
==51612== WARNING: AddressSanitizer failed to allocate 0x002cc28000c0 bytes
==51612== WARNING: AddressSanitizer failed to allocate 0x002cc28120c0 bytes
==51612== WARNING: AddressSanitizer failed to allocate 0x002cc28000c0 bytes
==51612== ERROR: AddressSanitizer failed to allocate 0x1dd703000 (8010084352) bytes of LargeMmapAllocator: Cannot allocate memory
==51612== Process memory map follows:
0x000000400000-0x000000405000 /usr/local/bin/exrmakepreview
0x000000605000-0x000000606000 /usr/local/bin/exrmakepreview
0x000000606000-0x000000607000 /usr/local/bin/exrmakepreview
0x000000607000-0x000000647000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x600400000000
0x600400000000-0x600400010000
0x600400010000-0x600600000000
0x600600000000-0x600600010000
0x600600010000-0x600800000000
0x600800000000-0x600800010000
0x600800010000-0x600c00000000
0x600c00000000-0x600c00010000
0x600c00010000-0x600e00000000
0x600e00000000-0x600e00010000
0x600e00010000-0x601000000000
0x601000000000-0x601000010000
0x601000010000-0x601600000000
0x601600000000-0x601600010000
0x601600010000-0x602600000000
0x602600000000-0x602600020000
0x602600020000-0x602800000000
0x602800000000-0x602800020000
0x602800020000-0x602c00000000
0x602c00000000-0x602c00020000
0x602c00020000-0x603600000000
0x603600000000-0x603600020000
0x603600020000-0x604400000000
0x604400000000-0x604400020000
0x604400020000-0x605200000000
0x605200000000-0x605200020000
0x605200020000-0x607200000000
0x607200000000-0x607200020000
0x607200020000-0x610000000000
0x610000000000-0x610000005000
0x7fe23fc0c000-0x7fe23fc27000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fe23fc27000-0x7fe23fe27000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fe23fe27000-0x7fe23fe2b000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fe23fe2b000-0x7fe23fe2c000 /usr/local/lib/libIex-2_2.so.12.0.0
0x7fe23fe2c000-0x7fe23fe32000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fe23fe32000-0x7fe240031000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fe240031000-0x7fe240032000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fe240032000-0x7fe240033000 /usr/local/lib/libIlmThread-2_2.so.12.0.0
0x7fe240033000-0x7fe24004b000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fe24004b000-0x7fe24024a000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fe24024a000-0x7fe24024b000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fe24024b000-0x7fe24024c000 /lib/x86_64-linux-gnu/libz.so.1.2.8
0x7fe24024c000-0x7fe24024f000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fe24024f000-0x7fe24044e000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fe24044e000-0x7fe24044f000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fe24044f000-0x7fe240450000 /lib/x86_64-linux-gnu/libdl-2.19.so
0x7fe240450000-0x7fe240469000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fe240469000-0x7fe240668000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fe240668000-0x7fe240669000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fe240669000-0x7fe24066a000 /lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fe24066a000-0x7fe24066e000
0x7fe24066e000-0x7fe240829000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fe240829000-0x7fe240a28000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fe240a28000-0x7fe240a2c000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fe240a2c000-0x7fe240a2e000 /lib/x86_64-linux-gnu/libc-2.19.so
0x7fe240a2e000-0x7fe240a33000
0x7fe240a33000-0x7fe240a49000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fe240a49000-0x7fe240c48000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fe240c48000-0x7fe240c49000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fe240c49000-0x7fe240d4e000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fe240d4e000-0x7fe240f4d000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fe240f4d000-0x7fe240f4e000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fe240f4e000-0x7fe240f4f000 /lib/x86_64-linux-gnu/libm-2.19.so
0x7fe240f4f000-0x7fe241035000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fe241035000-0x7fe241234000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fe241234000-0x7fe24123c000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fe24123c000-0x7fe24123e000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fe24123e000-0x7fe241253000
0x7fe241253000-0x7fe241295000 /usr/local/lib/libHalf.so.12.0.0
0x7fe241295000-0x7fe241494000 /usr/local/lib/libHalf.so.12.0.0
0x7fe241494000-0x7fe241495000 /usr/local/lib/libHalf.so.12.0.0
0x7fe241495000-0x7fe241496000 /usr/local/lib/libHalf.so.12.0.0
0x7fe241496000-0x7fe241865000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fe241865000-0x7fe241a64000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fe241a64000-0x7fe241a69000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fe241a69000-0x7fe241bbf000 /usr/local/lib/libIlmImf-2_2.so.22.0.0
0x7fe241bbf000-0x7fe241bc2000
0x7fe241bc2000-0x7fe241bea000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fe241bea000-0x7fe241dea000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fe241dea000-0x7fe241deb000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fe241deb000-0x7fe241dec000 /usr/lib/x86_64-linux-gnu/libasan.so.0.0.0
0x7fe241dec000-0x7fe244b51000
0x7fe244b51000-0x7fe244b74000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7fe244d40000-0x7fe244d58000
0x7fe244d5a000-0x7fe244d67000
0x7fe244d69000-0x7fe244d73000
0x7fe244d73000-0x7fe244d74000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7fe244d74000-0x7fe244d75000 /lib/x86_64-linux-gnu/ld-2.19.so
0x7fe244d75000-0x7fe244d76000
0x7ffe847ce000-0x7ffe847ef000 [stack]
0x7ffe847fb000-0x7ffe847fd000 [vvar]
0x7ffe847fd000-0x7ffe847ff000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==51612== End of process memory map.
==51612== AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:70 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x7fe241bd431d (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1231d)
#1 0x7fe241bdb133 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x19133)
#2 0x7fe241bdd6d3 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1b6d3)
#3 0x7fe241bcb078 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x9078)
#4 0x7fe241bd38b9 (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x118b9)
#5 0x40389d in Imf_2_2::Array2D<Imf_2_2::Rgba>::Array2D(long, long) /home/a/Downloads/openexr-2.2.0/exrmakepreview/../IlmImf/ImfArray.h:227
#6 0x402825 in (anonymous namespace)::generatePreview(char const*, float, int, int&, Imf_2_2::Array2D<Imf_2_2::PreviewRgba>&) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:112
#7 0x403041 in makePreview(char const*, char const*, int, float, bool) /home/a/Downloads/openexr-2.2.0/exrmakepreview/makePreview.cpp:162
#8 0x40236a in main /home/a/Downloads/openexr-2.2.0/exrmakepreview/main.cpp:185
#9 0x7fe24068fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#10 0x401da8 in _start (/usr/local/bin/exrmakepreview+0x401da8)
POC:
poc.zip
The text was updated successfully, but these errors were encountered: