Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Buffer overflow in cv::HdrDecoder::checkSignature #10479

Closed
Mambaboy opened this issue Jan 1, 2018 · 1 comment · Fixed by #10480
Closed

Buffer overflow in cv::HdrDecoder::checkSignature #10479

Mambaboy opened this issue Jan 1, 2018 · 1 comment · Fixed by #10480

Comments

@Mambaboy
Copy link

Mambaboy commented Jan 1, 2018

System information (version)

OpenCV => 3.3.1
Operating System / Platform => Ubuntu 16.04
Compiler => clang++
Detailed description

Detailed description

A buffer overflow occurs in function cv::HdrDecoder::checkSignature in file modules/imgcodecs/src/grfmt_hdr.cpp:106:.
The crash details as follows:

=================================================================
==12333==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000000ecc at pc 0x000001a5ef1f bp 0x7fff12ca2300 sp 0x7fff12ca1ab0
READ of size 10 at 0x609000000ecc thread T0
    #0 0x1a5ef1e in memcmp /home/opencv/fuzz/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:774
    #1 0x45a8e6 in cv::HdrDecoder::checkSignature(cv::String const&) const /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/grfmt_hdr.cpp:106:9
    #2 0x423bce in cv::findDecoder(cv::String const&) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:216:33
    #3 0x419023 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:402:19
    #4 0x418a80 in cv::imread(cv::String const&, int) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:638:5
    #5 0x413f25 in main /home/opencv/fuzz/target/opencv-3.3.1-test-crash/samples/cpp/example_cmake/example.cpp:54:11
    #6 0x7f8794948f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #7 0x4130c5 in _start (/home/opencv/verify+0x4130c5)

0x609000000ecc is located 0 bytes to the right of 12-byte region [0x609000000ec0,0x609000000ecc)
allocated by thread T0 here:
    #0 0x1a92c35 in __interceptor_posix_memalign /home/opencv/fuzz/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:157
    #1 0x6bb169 in cv::fastMalloc(unsigned long) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/core/src/alloc.cpp:64:8
    #2 0xb31682 in cv::String::allocate(unsigned long) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/core/src/stl.cpp:50:23
    #3 0x43ba2e in cv::String::substr(unsigned long, unsigned long) const /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/core/include/opencv2/core/cvstd.hpp:780:12
    #4 0x419023 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:402:19
    #5 0x418a80 in cv::imread(cv::String const&, int) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:638:5
    #6 0x413f25 in main /home/opencv/fuzz/target/opencv-3.3.1-test-crash/samples/cpp/example_cmake/example.cpp:54:11
    #7 0x7f8794948f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/opencv/fuzz/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:774 in memcmp
Shadow bytes around the buggy address:
  0x0c127fff8180: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8190: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff81a0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff81b0: fa fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
  0x0c127fff81c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fa fa fa
=>0x0c127fff81d0: fa fa fa fa fa fa fa fa 00[04]fa fa fa fa fa fa
  0x0c127fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12333==ABORTING

Steps to reproduce

Please refer to the following url for the testcases:
https://github.com/Epeius/NBPOC/blob/master/poc_out_of_bound_read_01

@Epeius
Copy link

Epeius commented Jan 2, 2018

This issue was assigned CVE-2017-18009

@mshabunin mshabunin added the bug label Jan 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

4 participants