New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bugs found by our scanner #1236
Comments
|
Hello @lqiulin, thank you very much for testing libvips. I've looked through the problems you found: Divide by zero
Array index
Sensitive function call
Thanks again! |
|
I think this is done, I'll close. Thank you again for reporting this. |
|
It looks like this has been assigned CVE-2021-27847 however the version number is incorrect in the report. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27847 For anyone visiting this issue as a result of the above, the problem was fixed in v8.8.0 and is only present in v8.7.4 (Jan 2019) and earlier. |
Hi, we developed a taint analysis based static analysis tool named Vanguard. It could prognosis potential vulnerabilities by identifying security-sensitive operations (e.g. divide-zero, mod-zero, array-index-access, and sensitive function calls) without proper checks for their operands.
Some code locations are listed in the following. We think these locations maybe bugs after our manual analysis. Please check them, and add precondition checks if necessary.
Divide/Mod-Zero
1.in function
vips_zoom_gen, zoom.c#L260#L266#L275Divisor: zoom->xfac, zoom->yfac
Result: Could be 0, Please Check.
2.in function
vips_point_build, point.c#L105Divisor: range
Result: Could be 0, Please Check.
3.in function
vips_eye_point, eye.c#L83Divisor: h
Result: Could be 0, Please Check.
4.in function
vips_mask_point, mask.c#L85Divisor: half_width, half_height
Result: Could be 0, Please Check.
Array-Index-Bound
1.in function
vips_gamma_build, gamma.c#L97scale = pow( vips_gamma_maxval[in->BandFmt], 1.0 / gamma->exponent ) / vips_gamma_maxval[in->BandFmt];Array expression: vips_gamma_maxval[in->BandFmt]
needs bound checking: 0<=in->BandFmt<10
2.in function
vips_byteswap_gen, byteswap.c#L138Array expression: vvips_byteswap_swap_fn[im->BandFmt]
needs bound checking: 0<=in->BandFmt<10
3.in function
vips_byteswap_build,byteswap.c#L169Array expression: vips_byteswap_swap_fn[im->BandFmt]
needs bound checking: 0<=in->BandFmt<10
Sensitive-Function-Call
1.in function
find_header, unpack_seek.c#L289[memcpy] is a security-sensitive function using tainted data: [wphdr ]
2.in function
rtiff_memcpy_line, tiff2vips.c#L1219memcpy( q, p, len );[memcpy] is a security-sensitive function using tainted data: [len ]
3.in function
tile_copy, sinkscreen.c#L843memcpy( q, p, len );[memcpy] is a security-sensitive function using tainted data: [len ]
4.in function
vips_region_paint, region.c#L958#L987[memset] is a security-sensitive function using tainted data: [wd ]
[memcpy] is a security-sensitive function using tainted data: [wd ]
The text was updated successfully, but these errors were encountered: