Description
Hello OpenEXR team,
I have identified an issue affecting OpenEXR by using AFL fuzz.
root@kali:~/openexr# exrmultiview left outputFuzz/crashes/id:000001,sig:06,src:000522,op:ext_AO,pos:109 right AllHalfValues.exr 12.exr
exrmultiview: malloc.c:4023: _int_malloc: Assertion `(unsigned long) (size) >= (unsigned long) (nb)' failed.
Aborted
root@kali:~/openexr# valgrind -v --tool=memcheck --leak-check=full exrmultiview left outputFuzz/crashes/id:000001,sig:06,src:000522,op:ext_AO,pos:109 right AllHalfValues.exr 12.exr
==21837== Memcheck, a memory error detector
==21837== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21837== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==21837== Command: exrmultiview left outputFuzz/crashes/id:000001,sig:06,src:000522,op:ext_AO,pos:109 right AllHalfValues.exr 12.exr
==21837==
--21837-- Valgrind options:
--21837-- -v
--21837-- --tool=memcheck
--21837-- --leak-check=full
--21837-- Contents of /proc/version:
--21837-- Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0-25)) #1 SMP Debian 4.17.8-1kali1 (2018-07-24)
--21837--
--21837-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx-avx2-bmi
--21837-- Page sizes: currently 4096, max supported 4096
--21837-- Valgrind library directory: /usr/lib/valgrind
--21837-- Reading syms from /usr/local/bin/exrmultiview
--21837-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.27.so
--21837-- Considering /usr/lib/debug/.build-id/dc/5cb16f5e644116cac64a4c3f5da4d081b81a4f.debug ..
--21837-- .. build-id is valid
--21837-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--21837-- Considering /usr/lib/valgrind/memcheck-amd64-linux ..
--21837-- .. CRC mismatch (computed 7680f3df wanted 92e0f93c)
--21837-- Considering /usr/lib/debug/usr/lib/valgrind/memcheck-amd64-linux ..
--21837-- .. CRC is valid
--21837-- object doesn't have a dynamic symbol table
--21837-- Scheduler: using generic scheduler lock implementation.
--21837-- Reading suppressions file: /usr/lib/valgrind/default.supp
==21837== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-21837-by-root-on-???
==21837== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-21837-by-root-on-???
==21837== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-21837-by-root-on-???
==21837==
==21837== TO CONTROL THIS PROCESS USING vgdb (which you probably
==21837== don't want to do, unless you know exactly what you're doing,
==21837== or are doing some strange experiment):
==21837== /usr/lib/valgrind/../../bin/vgdb --pid=21837 ...command...
==21837==
==21837== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==21837== /path/to/gdb exrmultiview
==21837== and then give GDB the following command
==21837== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=21837
==21837== --pid is optional if only one valgrind process is running
==21837==
--21837-- REDIR: 0x401e290 (ld-linux-x86-64.so.2:strlen) redirected to 0x58061781 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--21837-- REDIR: 0x401e070 (ld-linux-x86-64.so.2:index) redirected to 0x5806179b (vgPlain_amd64_linux_REDIR_FOR_index)
--21837-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--21837-- Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--21837-- .. CRC mismatch (computed 66a2a561 wanted 3789c7eb)
--21837-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--21837-- .. CRC is valid
--21837-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--21837-- Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--21837-- .. CRC mismatch (computed 8487a070 wanted 8af30a91)
--21837-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--21837-- .. CRC is valid
==21837== WARNING: new redirection conflicts with existing -- ignoring it
--21837-- old: 0x0401e290 (strlen ) R-> (0000.0) 0x58061781 vgPlain_amd64_linux_REDIR_FOR_strlen
--21837-- new: 0x0401e290 (strlen ) R-> (2007.0) 0x04838a60 strlen
--21837-- REDIR: 0x401aab0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4839b90 (strcmp)
--21837-- REDIR: 0x401e7d0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x483d1a0 (mempcpy)
--21837-- Reading syms from /usr/local/lib/libIlmImf-2_3.so.2.3.0
--21837-- Reading syms from /usr/local/lib/libHalf-2_3.so.2.3.0
--21837-- Reading syms from /usr/local/lib/libImath-2_3.so.2.3.0
--21837-- Reading syms from /usr/local/lib/libIlmThread-2_3.so.2.3.0
--21837-- Reading syms from /usr/lib/x86_64-linux-gnu/libpthread-2.27.so
--21837-- Considering /usr/lib/debug/.build-id/c1/969b6ac0e7a64f9cd88fdce8b584ccfc16623d.debug ..
--21837-- .. build-id is valid
--21837-- Reading syms from /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
--21837-- object doesn't have a symbol table
--21837-- Reading syms from /usr/local/lib/libIex-2_3.so.2.3.0
--21837-- Reading syms from /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
--21837-- object doesn't have a symbol table
--21837-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.27.so
--21837-- Considering /usr/lib/debug/.build-id/fa/b2857727406caccd7ab22e1729b09ccf2c3eb7.debug ..
--21837-- .. build-id is valid
--21837-- Reading syms from /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
--21837-- object doesn't have a symbol table
--21837-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.27.so
--21837-- Considering /usr/lib/debug/.build-id/dc/87cd1e2b171a4c51139cb4e1f2ec630e711de3.debug ..
--21837-- .. build-id is valid
--21837-- REDIR: 0x5361050 (libc.so.6:memmove) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5360280 (libc.so.6:strncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5361330 (libc.so.6:strcasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x535fcd0 (libc.so.6:strcat) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53602b0 (libc.so.6:rindex) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5362900 (libc.so.6:rawmemchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53611c0 (libc.so.6:mempcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5360ff0 (libc.so.6:bcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5360240 (libc.so.6:strncmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x535fd40 (libc.so.6:strcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5361120 (libc.so.6:memset) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x537ab60 (libc.so.6:wcschr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53601e0 (libc.so.6:strnlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x535fdb0 (libc.so.6:strcspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5361380 (libc.so.6:strncasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x535fd80 (libc.so.6:strcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53614c0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53602e0 (libc.so.6:strpbrk) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x535fd00 (libc.so.6:index) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53601b0 (libc.so.6:strlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53671b0 (libc.so.6:memrchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53613d0 (libc.so.6:strcasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5360fc0 (libc.so.6:memchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x537b920 (libc.so.6:wcslen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5360590 (libc.so.6:strspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5361300 (libc.so.6:stpncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x53612d0 (libc.so.6:stpcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5362930 (libc.so.6:strchrnul) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5361420 (libc.so.6:strncasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--21837-- REDIR: 0x5433700 (libc.so.6:__strrchr_avx2) redirected to 0x48383e0 (rindex)
--21837-- REDIR: 0x535c5c0 (libc.so.6:malloc) redirected to 0x4835750 (malloc)
--21837-- REDIR: 0x54338d0 (libc.so.6:__strlen_avx2) redirected to 0x48389a0 (strlen)
--21837-- REDIR: 0x542fee0 (libc.so.6:__memcmp_avx2_movbe) redirected to 0x483bab0 (bcmp)
--21837-- REDIR: 0x540f0a0 (libc.so.6:__strcmp_ssse3) redirected to 0x4839a50 (strcmp)
--21837-- REDIR: 0x535d2a0 (libc.so.6:calloc) redirected to 0x4837720 (calloc)
--21837-- REDIR: 0x5433e10 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483c390 (memmove)
--21837-- REDIR: 0x503af90 (libstdc++.so.6:operator new(unsigned long)) redirected to 0x4835dc0 (operator new(unsigned long))
--21837-- REDIR: 0x5039220 (libstdc++.so.6:operator delete(void*)) redirected to 0x4836e80 (operator delete(void*))
--21837-- REDIR: 0x5422440 (libc.so.6:__strncpy_ssse3) redirected to 0x4838c60 (strncpy)
--21837-- REDIR: 0x5360a70 (libc.so.6:__GI_strstr) redirected to 0x483d410 (__strstr_sse2)
--21837-- REDIR: 0x503b040 (libstdc++.so.6:operator new[](unsigned long)) redirected to 0x48364e0 (operator new[](unsigned long))
--21837-- REDIR: 0x542a850 (libc.so.6:__strncmp_sse42) redirected to 0x4839220 (__strncmp_sse42)
--21837-- REDIR: 0x5434290 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x483c280 (memset)
--21837-- REDIR: 0x535df10 (libc.so.6:posix_memalign) redirected to 0x4837c10 (posix_memalign)
--21837-- REDIR: 0x5039250 (libstdc++.so.6:operator delete) redirected to 0x4837380 (operator delete)
--21837-- REDIR: 0x535cc50 (libc.so.6:free) redirected to 0x4836980 (free)
--21837-- REDIR: 0x542f760 (libc.so.6:__memchr_avx2) redirected to 0x4839c30 (memchr)
==21837== Invalid write of size 8
==21837== at 0x483C307: memset (vg_replace_strmem.c:1239)
==21837== by 0x4069BD: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==21837== by 0x409D33: main (main.cpp:251)
==21837== Address 0x5525d30 is 0 bytes after a block of size 16,000 alloc'd
==21837== at 0x483654F: operator new[](unsigned long) (vg_replace_malloc.c:423)
==21837== by 0x40CE16: resizeEraseUnsafe (ImfArray.h:277)
==21837== by 0x40CE16: resize (Image.h:222)
==21837== by 0x40CE16: TypedImageChannel (Image.h:162)
==21837== by 0x40CE16: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, Imf_2_3::Channel const&) (Image.cpp:98)
==21837== by 0x4069A9: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:141)
==21837== by 0x409D33: main (main.cpp:251)
==21837==
==21837== Invalid write of size 8
==21837== at 0x483C30A: memset (vg_replace_strmem.c:1239)
==21837== by 0x4069BD: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==21837== by 0x409D33: main (main.cpp:251)
==21837== Address 0x5525d38 is 8 bytes after a block of size 16,000 alloc'd
==21837== at 0x483654F: operator new[](unsigned long) (vg_replace_malloc.c:423)
==21837== by 0x40CE16: resizeEraseUnsafe (ImfArray.h:277)
==21837== by 0x40CE16: resize (Image.h:222)
==21837== by 0x40CE16: TypedImageChannel (Image.h:162)
==21837== by 0x40CE16: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, Imf_2_3::Channel const&) (Image.cpp:98)
==21837== by 0x4069A9: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:141)
==21837== by 0x409D33: main (main.cpp:251)
==21837==
==21837== Invalid write of size 8
==21837== at 0x483C30E: memset (vg_replace_strmem.c:1239)
==21837== by 0x4069BD: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==21837== by 0x409D33: main (main.cpp:251)
==21837== Address 0x5525d40 is 16 bytes after a block of size 16,000 alloc'd
==21837== at 0x483654F: operator new[](unsigned long) (vg_replace_malloc.c:423)
==21837== by 0x40CE16: resizeEraseUnsafe (ImfArray.h:277)
==21837== by 0x40CE16: resize (Image.h:222)
==21837== by 0x40CE16: TypedImageChannel (Image.h:162)
==21837== by 0x40CE16: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, Imf_2_3::Channel const&) (Image.cpp:98)
==21837== by 0x4069A9: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:141)
==21837== by 0x409D33: main (main.cpp:251)
==21837==
==21837== Invalid write of size 8
==21837== at 0x483C312: memset (vg_replace_strmem.c:1239)
==21837== by 0x4069BD: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits, std::allocator >, std::allocator<std::__cxx11::basic_string<char, std::char_traits, std::allocator > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==21837== by 0x409D33: main (main.cpp:251)
==21837== Address 0x5525d48 is 24 bytes after a block of size 16,000 in arena "client"
==21837==
valgrind: m_mallocfree.c:280 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata. If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away. Please try that before reporting this as a bug.
Attached the POC
poc.zip
Version
openexr-2.3
Found by:TAN JIE