Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
An issue was discovered in opencv 4.1.0, there is an out of bounds read/write in Function HaarEvaluator::OptFeature::calc in cascadedetect.hpp, which leads to denial of service.
src
#define CALC_SUM_OFS_(p0, p1, p2, p3, ptr) \ ((ptr)[p0] - (ptr)[p1] - (ptr)[p2] + (ptr)[p3]) #define CALC_SUM_OFS(rect, ptr) CALC_SUM_OFS_((rect)[0], (rect)[1], (rect)[2], (rect)[3], ptr)
debug
In file: /home/pwd/SofterWare/opencv-4.1.0/modules/objdetect/src/cascadedetect.hpp 390 ofs[2][0] = ofs[2][1] = ofs[2][2] = ofs[2][3] = 0; 391 } 392 393 inline float HaarEvaluator::OptFeature :: calc( const int* ptr ) const 394 { ► 395 float ret = weight[0] * CALC_SUM_OFS(ofs[0], ptr) + 396 weight[1] * CALC_SUM_OFS(ofs[1], ptr); 397 398 if( weight[2] != 0.0f ) 399 ret += weight[2] * CALC_SUM_OFS(ofs[2], ptr); 400 ─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────── 00:0000│ rbp rsp 0x7fffc7ffe2b0 —▸ 0x7fffc7ffe2e0 —▸ 0x7fffc7ffe3c0 —▸ 0x7fffc7ffe470 —▸ 0x7fffc7ffe5b0 ◂— ... 01:0008│ 0x7fffc7ffe2b8 —▸ 0x7ffff5e3c218 ◂— mov rax, qword ptr [rbp - 0x18] 02:0010│ 0x7fffc7ffe2c0 —▸ 0x7fffc7ffe2e0 —▸ 0x7fffc7ffe3c0 —▸ 0x7fffc7ffe470 —▸ 0x7fffc7ffe5b0 ◂— ... 03:0018│ 0x7fffc7ffe2c8 —▸ 0x7fffcc000ce0 —▸ 0x7ffff60d0e08 —▸ 0x7ffff5e25d30 (cv::HaarEvaluator::~HaarEvaluator()) ◂— push rbp 04:0020│ 0x7fffc7ffe2d0 ◂— 0x7d00000000 05:0028│ 0x7fffc7ffe2d8 —▸ 0x7fffcc000ce0 —▸ 0x7ffff60d0e08 —▸ 0x7ffff5e25d30 (cv::HaarEvaluator::~HaarEvaluator()) ◂— push rbp 06:0030│ 0x7fffc7ffe2e0 —▸ 0x7fffc7ffe3c0 —▸ 0x7fffc7ffe470 —▸ 0x7fffc7ffe5b0 —▸ 0x7fffc7ffe650 ◂— ... 07:0038│ 0x7fffc7ffe2e8 —▸ 0x7ffff5e2bdad ◂— movss dword ptr [rbp - 0xcc], xmm0 ───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────── ► f 0 7ffff5e3c24c f 1 7ffff5e3c218 f 2 7ffff5e2bdad f 3 7ffff5e2ba90 f 4 7ffff5e3bd74 f 5 7fffef87dc59 f 6 7fffef87ea3b cv::ParallelJob::execute(bool)+603 f 7 7fffef87e21a cv::WorkerThread::thread_body()+890 f 8 7fffef880e05 cv::WorkerThread::thread_loop_wrapper(void*)+21 f 9 7fffee3d46db start_thread+219 Program received signal SIGSEGV (fault address 0x7ffdd53a6cdc) pwndbg> p ofs $9 = {{-2147481185, -2147481182, -2147479073, -2147479070}, {2470, 2471, 4582, 4583}, {0, 0, 0, 0}}
classifier /work/funcs/appname.bmp poc
poc1.tar.gz
The text was updated successfully, but these errors were encountered:
No branches or pull requests
System information (version)
Detailed description
src
debug
Steps to reproduce
poc1.tar.gz
The text was updated successfully, but these errors were encountered: