Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer overflow in grfmt_pxm.cpp::PxMDecoder::readData #10351

Closed
Epeius opened this issue Dec 19, 2017 · 1 comment · Fixed by #10369
Closed

Buffer overflow in grfmt_pxm.cpp::PxMDecoder::readData #10351

Epeius opened this issue Dec 19, 2017 · 1 comment · Fixed by #10369
Labels
bug category: imgcodecs category: vulnerability
Milestone
3.4

Comments

@Epeius
Copy link

Epeius commented Dec 19, 2017
edited by mshabunin
Loading

System information (version)

  • OpenCV => 3.3.1
  • Operating System / Platform => Ubuntu 16.04
  • Compiler => clang++

Detailed description

A buffer overflow occurs in function cv::PxMDecoder::readData in file imgcodecs/src/grfmt_pxm.cpp.

The crash details as follows:

=================================================================
==18453==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60900000c7d0 at pc 0x0000004722da bp 0x7ffff06fba60 sp 0x7ffff06fb210
WRITE of size 32 at 0x60900000c7d0 thread T0
    #0 0x4722d9 in memcpy (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x4722d9)
    #1 0x563c4e in cv::PxMDecoder::readData(cv::Mat&) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/grfmt_pxm.cpp:337:25
    #2 0x515691 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:487:13
    #3 0x51282c in cv::imread(cv::String const&, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:638:5
    #4 0x50aef1 in main /home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit.cpp:14:25
    #5 0x7ff8636e5f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #6 0x42f9e3 in _start (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x42f9e3)

0x60900000c7d0 is located 0 bytes to the right of 16-byte region [0x60900000c7c0,0x60900000c7d0)
allocated by thread T0 here:
    #0 0x4da825 in __interceptor_posix_memalign (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x4da825)
    #1 0x9aa819 in cv::fastMalloc(unsigned long) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/src/alloc.cpp:64:8
    #2 0xb8333a in cv::StdMatAllocator::allocate(int, int const*, int, void*, unsigned long*, int, cv::UMatUsageFlags) const /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/src/matrix.cpp:191:55
    #3 0xa8a42a in cv::Mat::create(int, int const*, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/src/matrix.cpp:429:17
    #4 0x54d4d9 in cv::Mat::create(int, int, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/core/include/opencv2/core/mat.inl.hpp:784:5
    #5 0x515129 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:473:13
    #6 0x51282c in cv::imread(cv::String const&, int) /home/test_opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:638:5
    #7 0x50aef1 in main /home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit.cpp:14:25
    #8 0x7ff8636e5f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/test_opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/for_submit+0x4722d9) in memcpy
Shadow bytes around the buggy address:
  0x0c127fff98a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff98b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c127fff98f0: fa fa fa fa fa fa fa fa 00 00[fa]fa fa fa fa fa
  0x0c127fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9910: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9920: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9930: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9940: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18453==ABORTING

Steps to reproduce

Please refer to the following url for the testcases:
https://github.com/Epeius/NBPOC/blob/master/poc
@alalek alalek mentioned this issue Dec 21, 2017
Merged
@carnil
Copy link

carnil commented Dec 30, 2017

This issue was assigned CVE-2017-17760

@alalek alalek mentioned this issue Feb 19, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug category: imgcodecs category: vulnerability
Projects
None yet
Milestone
3.4
Development

Successfully merging a pull request may close this issue.

imgcodecs(pxm): fix memcpy size alalek/opencv
3 participants
@carnil @alalek @Epeius