Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in PxMDecoder::readData #9371

Closed
scdeny opened this issue Aug 15, 2017 · 1 comment · Fixed by #9376
Closed

Integer overflow in PxMDecoder::readData #9371

scdeny opened this issue Aug 15, 2017 · 1 comment · Fixed by #9376

Comments

@scdeny
Copy link

scdeny commented Aug 15, 2017

System information (version)
  • OpenCV => 3.3
  • Operating System / Platform => Ubuntu 16.04
  • Compiler => g++
Detailed description

integer overflow in PxMDecoder::readData
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:199:29: runtime error: signed integer overflow: 1166948579 * 24 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:199:35: runtime error: signed integer overflow: -2058005176 * 8 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:201:26: runtime error: signed integer overflow: 1166948579 * 3 cannot be represented in type 'int'

/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp
bool PxMDecoder::readData( Mat& img )
199:
int src_pitch = (m_widthm_bppbit_depth/8 + 7)/8;
int nch = CV_MAT_CN(m_type);
int width3 = m_width*nch;

Steps to reproduce

cv::imread("1.PxmDecoder_readData_int_overflow_poc")
poc is here:
https://github.com/scdeny/opencv_pocs/blob/master/1.PxmDecoder_readData_int_overflow_poc

Crash log
==28529==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffc9ad1dd72 at pc 0x7fffec9a1501 bp 0x7fffffffcce0 sp 0x7fffffffccd0
READ of size 1 at 0x7ffc9ad1dd72 thread T0
    #0 0x7fffec9a1500 in icvCvt_BGR2RGB_8u_C3R(unsigned char const*, int, unsigned char*, int, CvSize) /home/scdeny/github/opencv/modules/imgcodecs/src/utils.cpp:223
    #1 0x7fffec9f466e in cv::PxMDecoder::readData(cv::Mat&) /home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:322
    #2 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)
    #3 0x7fffec974e33 in cv::imread(cv::String const&, int) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22de33)
    #4 0x4040b4 in main cpp/opencv_fuzzer.cpp:56
    #5 0x7fffeb0dd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x402f48 in _start (/home/scdeny/spoof_detection/bin/opencv_fuzzer_noafl_asan+0x402f48)

0x7ffc9ad1dd72 is located 0 bytes to the right of 22369650-byte region [0x7ffc997c8800,0x7ffc9ad1dd72)
allocated by thread T0 here:
    #0 0x7ffff6f036b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x7fffec9b588e in cv::AutoBuffer<unsigned char, 1032ul>::allocate(unsigned long) /home/scdeny/github/opencv/modules/core/include/opencv2/core/utility.hpp:991
    #2 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/scdeny/github/opencv/modules/imgcodecs/src/utils.cpp:223 icvCvt_BGR2RGB_8u_C3R(unsigned char const*, int, unsigned char*, int, CvSize)
Shadow bytes around the buggy address:
  0x10001359bb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001359bb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001359bb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001359bb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001359bb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001359bba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]fa
  0x10001359bbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10001359bbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10001359bbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10001359bbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x10001359bbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==28529==ABORTING
@scdeny scdeny changed the title integer overflow in PxMDecoder::readData Integer overflow in PxMDecoder::readData Aug 15, 2017
@scdeny
Copy link
Author

scdeny commented Aug 16, 2017

got CVE-2017-12863

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

3 participants