Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in ReadNumber #9372

Closed
scdeny opened this issue Aug 15, 2017 · 4 comments · Fixed by #9376
Closed

Integer overflow in ReadNumber #9372

scdeny opened this issue Aug 15, 2017 · 4 comments · Fixed by #9376

Comments

@scdeny
Copy link

scdeny commented Aug 15, 2017

System information (version)
  • OpenCV => 3.3
  • Operating System / Platform => Ubuntu 16.04
  • Compiler => g++
Detailed description

integer overflow in ReadNumber
/home/scdeny/github/opencv/modules/imgcodecs/src/grfmt_pxm.cpp:83:18: runtime error: signed integer overflow: 555555555 * 10 cannot be represented in type 'int'
static int ReadNumber( RLByteStream& strm, int maxdigits )
81:
do
{
val = val*10 + code - '0';
if( ++digits >= maxdigits ) break;
code = strm.getByte();
}
while( isdigit(code));

Steps to reproduce

cv::imread("2.ReadNumber_int_overflow_poc")
poc is here:
https://github.com/scdeny/opencv_pocs/blob/master/2.ReadNumber_int_overflow_poc

@tomoaki0705
Copy link
Contributor

I suggest you to use github feature to

  1. Link to the source code , not just writing it down
  2. Highlight the source code
cv::imread("2.ReadNumber_int_overflow_poc");

and also

  1. Provide more specific compiler version
    • probably the cmake version and also the cmake options you used.
    • It'll help a LOT for the others much much more than you imagine.

BTW, the number written in the file is large, so raising a run time error looks valid behavior to me. What did you expect to see ?

@scdeny
Copy link
Author

scdeny commented Aug 15, 2017

Thanks for your suggestion! I will do that next time.
I compile opencv this (GCC Undefined Behavior Sanitizer – ubsan)
cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-fsanitize=address,undefined"
cmake version 3.8.2
so the integer overflow warning is printed, or else will cause unpredictable errors

@scdeny
Copy link
Author

scdeny commented Aug 16, 2017

got CVE-2017-12864

@tomoaki0705
Copy link
Contributor

probably it's better to link, not just writing down.
nice work !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

4 participants