Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bounds write causes Segmentation Fault #9723

Closed
blendin opened this issue Sep 26, 2017 · 1 comment · Fixed by #9726
Closed

Out of bounds write causes Segmentation Fault #9723

blendin opened this issue Sep 26, 2017 · 1 comment · Fixed by #9726
Labels
bug category: imgcodecs category: vulnerability

Comments

@blendin
Copy link
Contributor

blendin commented Sep 26, 2017

System information (version)

  • OpenCV => 3.3 (the latest commit: 7475d23 2017-09-26)
  • Operating System / Platform => Linux
  • Compiler => gcc

Detailed description

An invalid writing occurs in the FillUniColor and FillUniGray functions in opencv/modules/imgcodecs/src/utils.cpp

POC
https://github.com/blendin/pocs/blob/master/opencv/0.OOB_Write_FillUniColor

Steps to reproduce

#include <opencv2/opencv.hpp>

int main(void) {
    cv::imread("0.OOB_Write_FillUniColor")
}

Crash Details

ASAN:DEADLYSIGNAL
=================================================================
==23351==ERROR: AddressSanitizer: SEGV on unknown address 0x7f9f027530fd (pc 0x7f9f01405bd0 bp 0x000000006060 sp 0x7fff2f321208 T0)
==23351==The signal is caused by a WRITE memory access.
    #0 0x7f9f01405bcf in FillUniColor(unsigned char*, unsigned char*&, int, int, int&, int, int, PaletteEntry) (/usr/local/lib/libopencv_imgcodecs.so.3.3+0x73bcf)
    #1 0x7f9f01414895 in cv::BmpDecoder::readData(cv::Mat&) (/usr/local/lib/libopencv_imgcodecs.so.3.3+0x82895)
    #2 0x7f9f013fc642 in cv::imread_(cv::String const&, int, int, cv::Mat*) (/usr/local/lib/libopencv_imgcodecs.so.3.3+0x6a642)
    #3 0x7f9f013fbe6b in cv::imread(cv::String const&, int) (/usr/local/lib/libopencv_imgcodecs.so.3.3+0x69e6b)
    #4 0x4f118b in main /lz/targets/opencv.cc:7:15
    #5 0x7f9f0011682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x41a6e8 in _start (/lz/targets/verify+0x41a6e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/local/lib/libopencv_imgcodecs.so.3.3+0x73bcf) in FillUniColor(unsigned char*, unsigned char*&, int, int, int&, int, int, PaletteEntry)
==23351==ABORTING
This was referenced Sep 26, 2017
Closed
Merged
@mshabunin mshabunin added the bug label Sep 28, 2017
@carnil
Copy link

carnil commented Jan 3, 2018

This issue was assigned CVE-2017-1000450

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug category: imgcodecs category: vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix out of bounds write
4 participants
@carnil @mshabunin @alalek @blendin