Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Floating Point Exception in cv::HOGDescriptor::getDescriptorSize() #15287

Closed
YourButterfly opened this issue Aug 13, 2019 · 1 comment
Closed

Comments

@YourButterfly
Copy link

System information (version)
  • OpenCV => 4.1.0
  • Operating System / Platform => Ubuntu 18.04 LTS
  • Compiler => 7.0.1
Detailed description

An issue was discovered in opencv 4.1.0. There is a FPE in cv::HOGDescriptor::getDescriptorSize.

DEBUG

In file: opencv-4.1.0/modules/objdetect/src/hog.cpp
   88         blockSize.height % cellSize.height == 0);
   89     CV_Assert((winSize.width - blockSize.width) % blockStride.width == 0 &&
   90         (winSize.height - blockSize.height) % blockStride.height == 0 );
   91 
   92     return (size_t)nbins*
 ► 93         (blockSize.width/cellSize.width)*
   94         (blockSize.height/cellSize.height)*
   95         ((winSize.width - blockSize.width)/blockStride.width + 1)*
   96         ((winSize.height - blockSize.height)/blockStride.height + 1);
   97 }
   98 
pwndbg> p cellSize 
$2 = {
  width = 0, 
  height = 0
}

ASAN report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==76303==ERROR: AddressSanitizer: FPE on unknown address 0x7f89dc67e495 (pc 0x7f89dc67e495 bp 0x7ffeedf44e90 sp 0x7ffeedf44d20 T0)
    #0 0x7f89dc67e494 in cv::HOGDescriptor::getDescriptorSize() const /home/pwd/fuzz/opencv/opencv-4.1.0/modules/objdetect/src/hog.cpp:93:25
    #1 0x7f89dc67f994 in cv::HOGDescriptor::checkDetectorSize() const /home/pwd/fuzz/opencv/opencv-4.1.0/modules/objdetect/src/hog.cpp:106:64
    #2 0x7f89dc67f994 in cv::HOGDescriptor::setSVMDetector(cv::_InputArray const&) /home/pwd/fuzz/opencv/opencv-4.1.0/modules/objdetect/src/hog.cpp:115
    #3 0x7f89dc683045 in cv::HOGDescriptor::read(cv::FileNode&) /home/pwd/fuzz/opencv/opencv-4.1.0/modules/objdetect/src/hog.cpp:168:9
    #4 0x7f89dc689eb2 in cv::HOGDescriptor::load(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/pwd/fuzz/opencv/opencv-4.1.0/modules/objdetect/src/hog.cpp:200:12
    #5 0x518fb0 in cv::HOGDescriptor::HOGDescriptor(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/pwd/fuzz/opencv/opencv-4.1.0/installed-asan/include/opencv4/opencv2/objdetect.hpp:421:9
    #6 0x518fb0 in main /home/pwd/fuzz/opencv/opencv-4.1.0/mytests/hog.cc:17
    #7 0x7f89d149db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #8 0x41b909 in _start (/home/pwd/fuzz/opencv/opencv-4.1.0/mytests/hog+0x41b909)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/pwd/fuzz/opencv/opencv-4.1.0/modules/objdetect/src/hog.cpp:93:25 in cv::HOGDescriptor::getDescriptorSize() const
==76303==ABORTING
Steps to reproduce
./hog timg.jpeg getDescriptorSize__FPE

hog-vuln.tar.gz

@nluedtke
Copy link

nluedtke commented Sep 9, 2019

This was assigned CVE-2019-15939.

clrpackages pushed a commit to clearlinux-pkgs/compat-opencv-soname34 that referenced this issue Sep 16, 2019
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Apr 16, 2020
Fixes a floating point exception
opencv/opencv#15287

Upstream-Status: Backport
[opencv/opencv@c05595e]
CVE: CVE-2019-15939
Signed-off-by: Gregory Vimont <gregory.vimont@softbankrobotics.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Apr 16, 2020
Fixes a floating point exception
opencv/opencv#15287

Upstream-Status: Backport
[opencv/opencv@c05595e]
CVE: CVE-2019-15939
Signed-off-by: Gregory Vimont <gregory.vimont@softbankrobotics.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Apr 16, 2020
Fixes a floating point exception
opencv/opencv#15287

Upstream-Status: Backport
[opencv/opencv@c05595e]
CVE: CVE-2019-15939
Signed-off-by: Gregory Vimont <gregory.vimont@softbankrobotics.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants