integer overflow in PxMDecoder::readData
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:199:29: runtime error: signed integer overflow: 1166948579 * 24 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:199:35: runtime error: signed integer overflow: -2058005176 * 8 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:201:26: runtime error: signed integer overflow: 1166948579 * 3 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp
bool PxMDecoder::readData( Mat& img )
199:
int src_pitch = (m_widthm_bppbit_depth/8 + 7)/8;
int nch = CV_MAT_CN(m_type);
int width3 = m_width*nch;
==28529==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7ffc9ad1dd72 at pc 0x7fffec9a1501 bp 0x7fffffffcce0 sp 0x7fffffffccd0
READ of size 1 at 0x7ffc9ad1dd72 thread T0
#0 0x7fffec9a1500 in icvCvt_BGR2RGB_8u_C3R(unsigned char const*, int, unsigned char*, int, CvSize) /home/scdeny/github/opencv/modules/imgcodecs/src/utils.cpp:223
#1 0x7fffec9f466e in cv::PxMDecoder::readData(cv::Mat&) /home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:322
#2 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)
#3 0x7fffec974e33 in cv::imread(cv::String const&, int) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22de33)
#4 0x4040b4 in main cpp/opencv_fuzzer.cpp:56
#5 0x7fffeb0dd82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x402f48 in _start (/home/scdeny/spoof_detection/bin/opencv_fuzzer_noafl_asan+0x402f48)
0x7ffc9ad1dd72 is located 0 bytes to the right of 22369650-byte region [0x7ffc997c8800,0x7ffc9ad1dd72)
allocated by thread T0 here:
#0 0x7ffff6f036b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x7fffec9b588e in cv::AutoBuffer<unsigned char, 1032ul>::allocate(unsigned long) /home/scdeny/github/opencv/modules/core/include/opencv2/core/utility.hpp:991
#2 0x7fffec9739a6 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/home/scdeny/github/opencv/debug_3.3_asan_noafl/lib/libopencv_imgcodecs.so.3.3+0x22c9a6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/scdeny/github/opencv/modules/imgcodecs/src/utils.cpp:223 icvCvt_BGR2RGB_8u_C3R(unsigned char const*, int, unsigned char*, int, CvSize)
Shadow bytes around the buggy address:
0x10001359bb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001359bb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001359bb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001359bb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10001359bb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001359bba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[02]fa
0x10001359bbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10001359bbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10001359bbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10001359bbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10001359bbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==28529==ABORTING
The text was updated successfully, but these errors were encountered:
scdeny
changed the title
integer overflow in PxMDecoder::readData
Integer overflow in PxMDecoder::readData
Aug 15, 2017
System information (version)
Detailed description
integer overflow in PxMDecoder::readData
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:199:29: runtime error: signed integer overflow: 1166948579 * 24 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:199:35: runtime error: signed integer overflow: -2058005176 * 8 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:201:26: runtime error: signed integer overflow: 1166948579 * 3 cannot be represented in type 'int'
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp
bool PxMDecoder::readData( Mat& img )
199:
int src_pitch = (m_widthm_bppbit_depth/8 + 7)/8;
int nch = CV_MAT_CN(m_type);
int width3 = m_width*nch;
Steps to reproduce
cv::imread("1.PxmDecoder_readData_int_overflow_poc")
poc is here:
https://github.com/scdeny/opencv_pocs/blob/master/1.PxmDecoder_readData_int_overflow_poc
Crash log
The text was updated successfully, but these errors were encountered: