A buffer overflow occurs in function cv::PxMDecoder::readData in file imgcodecs/src/grfmt_pxm.cpp.
The crash details as follows:
=================================================================
==18453==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60900000c7d0 at pc 0x0000004722da bp 0x7ffff06fba60 sp 0x7ffff06fb210
WRITE of size 32 at 0x60900000c7d0 thread T0
#0 0x4722d9 in memcpy (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x4722d9)
#1 0x563c4e in cv::PxMDecoder::readData(cv::Mat&) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/grfmt_pxm.cpp:337:25
#2 0x515691 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:487:13
#3 0x51282c in cv::imread(cv::String const&, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:638:5
#4 0x50aef1 in main /home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit.cpp:14:25
#5 0x7ff8636e5f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
#6 0x42f9e3 in _start (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x42f9e3)
0x60900000c7d0 is located 0 bytes to the right of 16-byte region [0x60900000c7c0,0x60900000c7d0)
allocated by thread T0 here:
#0 0x4da825 in __interceptor_posix_memalign (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x4da825)
#1 0x9aa819 in cv::fastMalloc(unsigned long) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/src/alloc.cpp:64:8
#2 0xb8333a in cv::StdMatAllocator::allocate(int, int const*, int, void*, unsigned long*, int, cv::UMatUsageFlags) const /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/src/matrix.cpp:191:55
#3 0xa8a42a in cv::Mat::create(int, int const*, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/src/matrix.cpp:429:17
#4 0x54d4d9 in cv::Mat::create(int, int, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/include/opencv2/core/mat.inl.hpp:784:5
#5 0x515129 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:473:13
#6 0x51282c in cv::imread(cv::String const&, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:638:5
#7 0x50aef1 in main /home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit.cpp:14:25
#8 0x7ff8636e5f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x4722d9) in memcpy
Shadow bytes around the buggy address:
0x0c127fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c127fff98f0: fa fa fa fa fa fa fa fa 00 00[fa]fa fa fa fa fa
0x0c127fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff9910: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff9920: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff9930: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
0x0c127fff9940: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18453==ABORTING
System information (version)
Detailed description
A buffer overflow occurs in function
cv::PxMDecoder::readDatain fileimgcodecs/src/grfmt_pxm.cpp.The crash details as follows:
Steps to reproduce
Please refer to the following url for the testcases:
https://github.com/Epeius/NBPOC/blob/master/poc
The text was updated successfully, but these errors were encountered: