Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap based buffer overflow happens in cv::Jpeg2KDecoder::readComponent8u #10541

Closed
Epeius opened this issue Jan 7, 2018 · 1 comment · Fixed by #10566
Closed

A heap based buffer overflow happens in cv::Jpeg2KDecoder::readComponent8u #10541

Epeius opened this issue Jan 7, 2018 · 1 comment · Fixed by #10566

Comments

@Epeius
Copy link

Epeius commented Jan 7, 2018

System information (version)

  • OpenCV 3.3.1
  • Operating System / Platform => Ubuntu 16.04
  • Compiler => clang++
  • Compiled-executable: 32bits

Detailed description

A heap-based buffer overflow happens in function cv::Jpeg2KDecoder::readComponent8u in grfmt_jpeg2000.cpp:343

The crash details as follows:

=================================================================

warning: component data type mismatch
=================================================================
==6293==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60900000c247 at pc 0x0000005ce1a3 bp 0x7fff71a94400 sp 0x7fff71a943f8
WRITE of size 1 at 0x60900000c247 thread T0
    #0 0x5ce1a2 in cv::Jpeg2KDecoder::readComponent8u(unsigned char*, void*, int, int, int, int, int) /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/grfmt_jpeg2000.cpp:343:38
    #1 0x5cb417 in cv::Jpeg2KDecoder::readData(cv::Mat&) /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/grfmt_jpeg2000.cpp:255:42
    #2 0x51d2c1 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:487:13
    #3 0x51a78c in cv::imread(cv::String const&, int) /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:638:5
    #4 0x50cf4f in main /home/opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/test_png.cpp:46:25
    #5 0x7f1e5d14ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #6 0x42f9f3 in _start (/home/opencv/test/target/12.7asan/opencv_afl-test+0x42f9f3)

0x60900000c247 is located 1 bytes to the right of 6-byte region [0x60900000c240,0x60900000c246)
allocated by thread T0 here:
    #0 0x4da835 in __interceptor_posix_memalign (/home/opencv/test/target/12.7asan/opencv_afl-test+0x4da835)
    #1 0x9b28c9 in cv::fastMalloc(unsigned long) /home/opencv/fuzz/target/opencv-3.3.1/modules/core/src/alloc.cpp:64:8
    #2 0xb8b0ca in cv::StdMatAllocator::allocate(int, int const*, int, void*, unsigned long*, int, cv::UMatUsageFlags) const /home/opencv/fuzz/target/opencv-3.3.1/modules/core/src/matrix.cpp:191:55
    #3 0xa924da in cv::Mat::create(int, int const*, int) /home/opencv/fuzz/target/opencv-3.3.1/modules/core/src/matrix.cpp:429:17
    #4 0x553b39 in cv::Mat::create(int, int, int) /home/opencv/fuzz/target/opencv-3.3.1/modules/core/include/opencv2/core/mat.inl.hpp:784:5
    #5 0x5c92e0 in cv::Jpeg2KDecoder::readData(cv::Mat&) /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/grfmt_jpeg2000.cpp:171:9
    #6 0x51d2c1 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:487:13
    #7 0x51a78c in cv::imread(cv::String const&, int) /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/loadsave.cpp:638:5
    #8 0x50cf4f in main /home/opencv/fuzz/target/opencv-3.3.1/samples/cpp/example_cmake/test_png.cpp:46:25
    #9 0x7f1e5d14ef44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/opencv/fuzz/target/opencv-3.3.1/modules/imgcodecs/src/grfmt_jpeg2000.cpp:343:38 in cv::Jpeg2KDecoder::readComponent8u(unsigned char*, void*, int, int, int, int, int)
Shadow bytes around the buggy address:
  0x0c127fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c127fff9840: fa fa fa fa fa fa fa fa[06]fa fa fa fa fa fa fa
  0x0c127fff9850: fa fa fa fa fa fa fa fa 01 fa fa fa fa fa fa fa
  0x0c127fff9860: fa fa fa fa fa fa fa fa 00 00 04 fa fa fa fa fa
  0x0c127fff9870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9880: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff9890: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6293==ABORTING

=================================================================

Steps to reproduce

Please refer to the following url for the testcases:
https://github.com/Epeius/NBPOC/tree/master/readComponent8u_heap_overflow

@carnil
Copy link

carnil commented Jan 8, 2018

This issue has been assigned CVE-2018-5268

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

4 participants