Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AutoBuffer_heap_overflow in grfmt_pxm.cpp #9370

Closed
scdeny opened this issue Aug 15, 2017 · 1 comment · Fixed by #9376
Closed

AutoBuffer_heap_overflow in grfmt_pxm.cpp #9370

scdeny opened this issue Aug 15, 2017 · 1 comment · Fixed by #9376

Comments

@scdeny
Copy link

scdeny commented Aug 15, 2017

System information (version)
  • OpenCV => 3.3
  • Operating System / Platform => Ubuntu 16.04
  • Compiler => g++
Detailed description

cv::imread("0.AutoBuffer_heap_overflow_poc") trigger the heap buffer overflow
OpenCV version from 2.2 to 3.3 affected

Root cause:
in modules/imgcodecs/src/grfmt_pxm.cpp

197:
    int  bit_depth = CV_ELEM_SIZE1(m_type)*8;
    int  src_pitch = (m_width*m_bpp*bit_depth/8 + 7)/8;
205:
    AutoBuffer<uchar> _src(src_pitch + 32);
    uchar* src = _src;
234:
                    for( x = 0; x < m_width; x++ )
                        src[x] = ReadNumber( m_strm, 1 ) != 0;

In my poc, the m_width is about 8x bigger than src_pitch, which cause the _src buffer overflowed

(gdb) p src_pitch
$1 = 0xa2c3
(gdb) p m_width
$2 = 0x51615
(gdb) p m_bpp
$3 = 0x1
(gdb) p bit_depth
$4 = 0x8
Steps to reproduce

cv::imread("0.AutoBuffer_heap_overflow_poc")
poc is here:
https://github.com/scdeny/opencv_pocs/blob/master/0.AutoBuffer_heap_overflow_poc

Crash log

=================================================================
==18000==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000a6e3 at pc 0x7fffec9f24cc bp 0x7fffffffcd60 sp 0x7fffffffcd50
WRITE of size 1 at 0x62e00000a6e3 thread T0
    #0 0x7fffec9f24cb in cv::PxMDecoder::readData(cv::Mat&) /home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:237
    #1 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)
    #2 0x7fffec974e33 in cv::imread(cv::String const&, int) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22de33)
    #3 0x4040b4 in main cpp/opencv_fuzzer.cpp:56
    #4 0x7fffeb0dd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #5 0x402f48 in _start (/home/scdeny/spoof_detection/bin/opencv_fuzzer_noafl_asan+0x402f48)

0x62e00000a6e3 is located 0 bytes to the right of 41699-byte region [0x62e000000400,0x62e00000a6e3)
allocated by thread T0 here:
    #0 0x7ffff6f036b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x7fffec9b588e in cv::AutoBuffer<unsigned char, 1032ul>::allocate(unsigned long) /home/scdeny/github/opencv/modules/core/include/opencv2/core/utility.hpp:991
    #2 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:237 cv::PxMDecoder::readData(cv::Mat&)
Shadow bytes around the buggy address:
  0x0c5c7fff9480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff94d0: 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa fa
  0x0c5c7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==18000==ABORTING
@scdeny
Copy link
Author

scdeny commented Aug 16, 2017

got CVE-2017-12862

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

3 participants