Skip to content

out of bounds read/write in Function HaarEvaluator::OptFeature::calc #15124

Closed
Closed
out of bounds read/write in Function HaarEvaluator::OptFeature::calc#15124
Labels
category: vulnerability
Milestone
3.4.7
@YourButterfly

Description

@YourButterfly
YourButterfly
opened on Jul 23, 2019
System information (version)
  • OpenCV => :4.1.0:
  • Operating System / Platform => :ubuntu 18.04 LTS:
  • Compiler => : clang-7:
Detailed description
    An issue was discovered in opencv 4.1.0, there is an out of bounds read/write in Function HaarEvaluator::OptFeature::calc in cascadedetect.hpp, which leads to denial of service.

src

#define CALC_SUM_OFS_(p0, p1, p2, p3, ptr) \
((ptr)[p0] - (ptr)[p1] - (ptr)[p2] + (ptr)[p3])

#define CALC_SUM_OFS(rect, ptr) CALC_SUM_OFS_((rect)[0], (rect)[1], (rect)[2], (rect)[3], ptr)

debug

In file: /home/pwd/SofterWare/opencv-4.1.0/modules/objdetect/src/cascadedetect.hpp
   390     ofs[2][0] = ofs[2][1] = ofs[2][2] = ofs[2][3] = 0;
   391 }
   392
   393 inline float HaarEvaluator::OptFeature :: calc( const int* ptr ) const
   394 {
 ► 395     float ret = weight[0] * CALC_SUM_OFS(ofs[0], ptr) +
   396                 weight[1] * CALC_SUM_OFS(ofs[1], ptr);
   397
   398     if( weight[2] != 0.0f )
   399         ret += weight[2] * CALC_SUM_OFS(ofs[2], ptr);
   400
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rbp rsp  0x7fffc7ffe2b0 —▸ 0x7fffc7ffe2e0 —▸ 0x7fffc7ffe3c0 —▸ 0x7fffc7ffe470 —▸ 0x7fffc7ffe5b0 ◂— ...
01:0008│          0x7fffc7ffe2b8 —▸ 0x7ffff5e3c218 ◂— mov    rax, qword ptr [rbp - 0x18]
02:0010│          0x7fffc7ffe2c0 —▸ 0x7fffc7ffe2e0 —▸ 0x7fffc7ffe3c0 —▸ 0x7fffc7ffe470 —▸ 0x7fffc7ffe5b0 ◂— ...
03:0018│          0x7fffc7ffe2c8 —▸ 0x7fffcc000ce0 —▸ 0x7ffff60d0e08 —▸ 0x7ffff5e25d30 (cv::HaarEvaluator::~HaarEvaluator()) ◂— push   rbp
04:0020│          0x7fffc7ffe2d0 ◂— 0x7d00000000
05:0028│          0x7fffc7ffe2d8 —▸ 0x7fffcc000ce0 —▸ 0x7ffff60d0e08 —▸ 0x7ffff5e25d30 (cv::HaarEvaluator::~HaarEvaluator()) ◂— push   rbp
06:0030│          0x7fffc7ffe2e0 —▸ 0x7fffc7ffe3c0 —▸ 0x7fffc7ffe470 —▸ 0x7fffc7ffe5b0 —▸ 0x7fffc7ffe650 ◂— ...
07:0038│          0x7fffc7ffe2e8 —▸ 0x7ffff5e2bdad ◂— movss  dword ptr [rbp - 0xcc], xmm0
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0     7ffff5e3c24c
   f 1     7ffff5e3c218
   f 2     7ffff5e2bdad
   f 3     7ffff5e2ba90
   f 4     7ffff5e3bd74
   f 5     7fffef87dc59
   f 6     7fffef87ea3b cv::ParallelJob::execute(bool)+603
   f 7     7fffef87e21a cv::WorkerThread::thread_body()+890
   f 8     7fffef880e05 cv::WorkerThread::thread_loop_wrapper(void*)+21
   f 9     7fffee3d46db start_thread+219
Program received signal SIGSEGV (fault address 0x7ffdd53a6cdc)
pwndbg> p ofs 
$9 = {{-2147481185, -2147481182, -2147479073, -2147479070}, {2470, 2471, 4582, 4583}, {0, 0, 0, 0}}
Steps to reproduce
classifier /work/funcs/appname.bmp poc

poc1.tar.gz

Metadata

Metadata

Assignees

No one assigned

    Labels

    category: vulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions