Signed Integer Overflow in chunkOffsetReconstruction (72873449, 73090589)

[Google-Autofuzz]

Hello OpenEXR team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
OpenEXR (tested with revision * develop 165dcea).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

TL;DR instructions:

• mkdir project
• cp Dockerfile.OpenEXR /path/to/project/Dockerfile
• docker build --no-cache /path/to/project
• docker run -it image_id_from_docker_build

From another terminal, outside the container:
docker cp /path/to/attached/reproducer running_container_hostname:/fuzzing/reproducer
(reference: https://docs.docker.com/engine/reference/commandline/cp/)

And, back inside the container:
/fuzzing/repro.sh /fuzzing/reproducer

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer errors that we
encountered were:

ImfMultiPartInputFile.cpp:642:30: runtime error: signed integer overflow: -2147483648 - 5 cannot be represented in type 'int'
    #0 0x5dd94d in Imf_2_2::MultiPartInputFile::Data::chunkOffsetReconstruction(Imf_2_2::IStream&, std::__debug::vector<Imf_2_2::InputPartData*, std::allocator<Imf_2_2::InputPartData*> > const&) /fuzzing/openexr/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp:642:30
    #1 0x5daf38 in Imf_2_2::MultiPartInputFile::initialize() /fuzzing/openexr/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp:429:12
    #2 0x5db5e0 in Imf_2_2::MultiPartInputFile::MultiPartInputFile(Imf_2_2::IStream&, int, bool) /fuzzing/openexr/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp:161:9
    #3 0x66bdec in Imf_2_2::TiledInputFile::compatibilityInitialize(Imf_2_2::IStream&) /fuzzing/openexr/OpenEXR/IlmImf/ImfTiledInputFile.cpp:862:32
    #4 0x66b511 in Imf_2_2::TiledInputFile::TiledInputFile(char const*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfTiledInputFile.cpp:714:6
    #5 0x5d19da in Imf_2_2::TiledRgbaInputFile::TiledRgbaInputFile(char const*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfTiledRgbaFile.cpp:773:21
    #6 0x524d6a in fuzzImage(char const*) /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_tiles.cc:135:14
    #7 0x524c55 in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_tiles.cc:178:3
    #8 0x5171ec in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/openexr_fuzz_tiles+0x5171ec)
    #9 0x5169ae in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/fuzzing/openexr_fuzz_tiles+0x5169ae)
    #10 0x51080d in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) (/fuzzing/openexr_fuzz_tiles+0x51080d)
    #11 0x511cdf in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/openexr_fuzz_tiles+0x511cdf)
    #12 0x5106bc in main (/fuzzing/openexr_fuzz_tiles+0x5106bc)
    #13 0x7fdd6d2832b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #14 0x425dc9 in _start (/fuzzing/openexr_fuzz_tiles+0x425dc9)

SUMMARY: AddressSanitizer: undefined-behavior ImfMultiPartInputFile.cpp:642:30 in 

ImfMultiPartInputFile.cpp:669:44: runtime error: signed integer overflow: 2147483647 + 8 cannot be represented in type 'int'
    #0 0x5dcaf1 in Imf_2_2::MultiPartInputFile::Data::chunkOffsetReconstruction(Imf_2_2::IStream&, std::__debug::vector<Imf_2_2::InputPartData*, std::allocator<Imf_2_2::InputPartData*> > const&) /fuzzing/openexr/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp:669:44
    #1 0x5d9fd8 in Imf_2_2::MultiPartInputFile::initialize() /fuzzing/openexr/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp:429:12
    #2 0x5d938b in Imf_2_2::MultiPartInputFile::MultiPartInputFile(char const*, int, bool) /fuzzing/openexr/OpenEXR/IlmImf/ImfMultiPartInputFile.cpp:136:9
    #3 0x524d48 in (anonymous namespace)::readMulti(char const*) /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_scanlines.cc:46:16
    #4 0x52480d in LLVMFuzzerTestOneInput /fuzzing/security-research-pocs/autofuzz/openexr_fuzz_scanlines.cc:114:3
    #5 0x516d9c in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/fuzzing/openexr_fuzz_scanlines+0x516d9c)
    #6 0x51655e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) (/fuzzing/openexr_fuzz_scanlines+0x51655e)
    #7 0x5103bd in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*) (/fuzzing/openexr_fuzz_scanlines+0x5103bd)
    #8 0x51188f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/fuzzing/openexr_fuzz_scanlines+0x51188f)
    #9 0x51026c in main (/fuzzing/openexr_fuzz_scanlines+0x51026c)
    #10 0x7f0e10fad2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #11 0x425979 in _start (/fuzzing/openexr_fuzz_scanlines+0x425979)

SUMMARY: AddressSanitizer: undefined-behavior ImfMultiPartInputFile.cpp:669:44 in 

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

artifacts_72873449.zip
artifacts_73090589.zip

[peterhillman]

A fix for this is now merged.
Thanks!