=================================================================
==18000==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000a6e3 at pc 0x7fffec9f24cc bp 0x7fffffffcd60 sp 0x7fffffffcd50
WRITE of size 1 at 0x62e00000a6e3 thread T0
#0 0x7fffec9f24cb in cv::PxMDecoder::readData(cv::Mat&) /home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:237
#1 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)
#2 0x7fffec974e33 in cv::imread(cv::String const&, int) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22de33)
#3 0x4040b4 in main cpp/opencv_fuzzer.cpp:56
#4 0x7fffeb0dd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x402f48 in _start (/home/scdeny/spoof_detection/bin/opencv_fuzzer_noafl_asan+0x402f48)
0x62e00000a6e3 is located 0 bytes to the right of 41699-byte region [0x62e000000400,0x62e00000a6e3)
allocated by thread T0 here:
#0 0x7ffff6f036b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7fffec9b588e in cv::AutoBuffer<unsigned char, 1032ul>::allocate(unsigned long) /home/scdeny/github/opencv/modules/core/include/opencv2/core/utility.hpp:991
#2 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:237 cv::PxMDecoder::readData(cv::Mat&)
Shadow bytes around the buggy address:
0x0c5c7fff9480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff94c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff94d0: 00 00 00 00 00 00 00 00 00 00 00 00[03]fa fa fa
0x0c5c7fff94e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff94f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==18000==ABORTING
The text was updated successfully, but these errors were encountered:
System information (version)
Detailed description
cv::imread("0.AutoBuffer_heap_overflow_poc") trigger the heap buffer overflow
OpenCV version from 2.2 to 3.3 affected
Root cause:
in modules/imgcodecs/src/grfmt_pxm.cpp
In my poc, the m_width is about 8x bigger than src_pitch, which cause the _src buffer overflowed
Steps to reproduce
cv::imread("0.AutoBuffer_heap_overflow_poc")
poc is here:
https://github.com/scdeny/opencv_pocs/blob/master/0.AutoBuffer_heap_overflow_poc
Crash log
The text was updated successfully, but these errors were encountered: