New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

It exists SEGV when use function copy_bayer() #194

Closed
windpraying opened this Issue Dec 21, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@windpraying
Copy link

windpraying commented Dec 21, 2018

Description

When use function copy_bayer(),it will exist SEGV

My test program

postprocessing_benchmark in Libraw/bin

Command and argument

./postprocessing_benchmark 1111

Crash Information

Processing file 1111

5.9 msec for unpack
=================================================================
ASAN:SIGSEGV
==98633==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004556fb bp 0x7ffe69c00ed0 sp 0x7ffe69c00e90 T0)
    #0 0x4556fa in LibRaw::copy_bayer(unsigned short*, unsigned short*) [clone ._omp_fn.2] src/libraw_cxx.cpp:3609
    #1 0x7f929c0dfcbe in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbcbe)
    #2 0x42c27b in LibRaw::copy_bayer(unsigned short*, unsigned short*) src/libraw_cxx.cpp:3601
    #3 0x42e039 in LibRaw::raw2image_ex(int) src/libraw_cxx.cpp:3802
    #4 0x43e36f in LibRaw::dcraw_process() src/libraw_cxx.cpp:5098
    #5 0x4049bc in main samples/postprocessing_benchmark.cpp:142
    #6 0x7f929b8f782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x403e48 in _start (/home/wind/libraw_fuzz_new/as_libraw_7e29b/LibRaw-7e29b9f29449fde30cc878fbb137d61c14bba3a4/bin/postprocessing_benchmark+0x403e48)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV src/libraw_cxx.cpp:3609 LibRaw::copy_bayer(unsigned short*, unsigned short*) [clone ._omp_fn.2]
==98633==ABORTING

Version

the commit is 7e29b9f

POC File

crash.zip

CREDIT

pu!m,Weiran Labs

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 21, 2018

The line your ASAN report pointed to is pragma omp: https://github.com/LibRaw/LibRaw/blob/master/src/libraw_cxx.cpp#L3601

Is this problem exists in not-openmp version too?

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 21, 2018

It looks like it is same problem as in raw2image, but in raw2image_ex(), could you please check this patch: 7903346

@carnil

This comment has been minimized.

Copy link

carnil commented Dec 22, 2018

This is CVE-2018-20364

@LibRaw

This comment has been minimized.

Copy link
Owner

LibRaw commented Dec 24, 2018

this is not copy_bayer, but raw2image_ex() problem, fixed in master branch.

@LibRaw LibRaw closed this Dec 24, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment