out of bounds read in function cv::predictOrdered<cv::HaarEvaluator>

[YourButterfly]

System information (version)

• OpenCV => 4.1.0
• Operating System / Platform => Ubuntu 18.04 LTS
• Compiler => clang-7

Detailed description

An issue was discovered in opencv 4.1.0, there is an out of bounds read in function cv::predictOrdered<cv::HaarEvaluator> in cascadedetect.hpp, which leads to denial of service.

source

 511                 double val = featureEvaluator(node.featureIdx);
 512                 idx = val < node.threshold ? node.left : node.right;
 513             }
 514             while( idx > 0 );
> 515             sum += \*bug=>*\  cascadeLeaves[leafOfs - idx];
 516             nodeOfs += weak.nodeCount;
 517             leafOfs += weak.nodeCount + 1;
 518         }
 519         if( sum < stage.threshold )
 520             return -si;

debug

In file: /home/pwd/SofterWare/opencv-4.1.0/modules/objdetect/src/cascadedetect.hpp
   510                 CascadeClassifierImpl::Data::DTreeNode& node = cascadeNodes[root + idx];
   511                 double val = featureEvaluator(node.featureIdx);
   512                 idx = val < node.threshold ? node.left : node.right;
   513             }
   514             while( idx > 0 );
 ► 515             sum += cascadeLeaves[leafOfs - idx];
   516             nodeOfs += weak.nodeCount;
   517             leafOfs += weak.nodeCount + 1;
   518         }
   519         if( sum < stage.threshold )
   520             return -si;
─────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fffc7ffe300 ◂— 0x8d80169006580d8
01:0008│      0x7fffc7ffe308 ◂— 0xbba5787f80000000
02:0010│      0x7fffc7ffe310 —▸ 0x7fffd53a5de0 ◂— 0xb1088000af4cb
03:0018│      0x7fffc7ffe318 ◂— 0xffedb5a100000003
04:0020│      0x7fffc7ffe320 ◂— 0xbf74af0fe0000000
05:0028│      0x7fffc7ffe328 —▸ 0x6b7b70 ◂— 0x0
06:0030│      0x7fffc7ffe330 ◂— 0x800000000000005d /* ']' */
07:0038│      0x7fffc7ffe338 —▸ 0x66f4a4 ◂— 0x100000000
───────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0     7ffff5e2c500
   f 1     7ffff5e2bb21
   f 2     7ffff5e3bd74
   f 3     7fffef87dc59
   f 4     7fffef87ea3b cv::ParallelJob::execute(bool)+603
   f 5     7fffef87e21a cv::WorkerThread::thread_body()+890
   f 6     7fffef880e05 cv::WorkerThread::thread_loop_wrapper(void*)+21
   f 7     7fffee3d46db start_thread+219
Program received signal SIGSEGV (fault address 0xfffffffe006630f8)
pwndbg> p cascadeLeaves 
$1 = (float *) 0x662e10
pwndbg> p leafOfs 
$2 = 186
pwndbg> p idx
$3 = -2147483648

bug report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==9176==ERROR: AddressSanitizer: SEGV on unknown address 0x623e000443e8 (pc 0x7fc9fc661bfa bp 0x7fc9daee70b0 sp 0x7fc9daee6f80 T1)
==9176==The signal is caused by a READ memory access.
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
AddressSanitizer:DEADLYSIGNAL
    #0 0x7fc9fc661bf9 in int cv::predictOrdered<cv::HaarEvaluator>(cv::CascadeClassifierImpl&, cv::Ptr<cv::FeatureEvaluator>&, double&) /src/opencv/modules/objdetect/src/cascadedetect.hpp:515:17
    #1 0x7fc9fc65f736 in cv::CascadeClassifierImpl::runAt(cv::Ptr<cv::FeatureEvaluator>&, cv::Point_<int>, int, double&) /src/opencv/modules/objdetect/src/cascadedetect.cpp:962:20
    #2 0x7fc9fc692083 in cv::CascadeClassifierInvoker::operator()(cv::Range const&) const /src/opencv/modules/objdetect/src/cascadedetect.cpp:1029:46
    #3 0x7fc9f294b0c3 in (anonymous namespace)::ParallelLoopBodyWrapper::operator()(cv::Range const&) const /src/opencv/modules/core/src/parallel.cpp:343:17
    #4 0x7fc9f2d737e7 in cv::ParallelJob::execute(bool) /src/opencv/modules/core/src/parallel_impl.cpp:315:22
    #5 0x7fc9f2d7125b in cv::WorkerThread::thread_body() /src/opencv/modules/core/src/parallel_impl.cpp:415:24
    #6 0x7fc9f2d7f719 in cv::WorkerThread::thread_loop_wrapper(void*) /src/opencv/modules/core/src/parallel_impl.cpp:265:41
    #7 0x7fc9f15e46b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #8 0x7fc9f0cf841c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /src/opencv/modules/objdetect/src/cascadedetect.hpp:515:17 in int cv::predictOrdered<cv::HaarEvaluator>(cv::CascadeClassifierImpl&, cv::Ptr<cv::FeatureEvaluator>&, double&)
Thread T1 created by T0 here:
    #0 0x43428d in __interceptor_pthread_create /work/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204
    #1 0x7fc9f2d79d58 in cv::WorkerThread::WorkerThread(cv::ThreadPool&, unsigned int) /src/opencv/modules/core/src/parallel_impl.cpp:227:15
    #2 0x7fc9f2d76240 in cv::ThreadPool::reconfigure_(unsigned int) /src/opencv/modules/core/src/parallel_impl.cpp:510:53
    #3 0x7fc9f2d7bb07 in cv::ThreadPool::run(cv::Range const&, cv::ParallelLoopBody const&, double) /src/opencv/modules/core/src/parallel_impl.cpp:548:9
    #4 0x7fc9f2949a99 in parallel_for_impl(cv::Range const&, cv::ParallelLoopBody const&, double) /src/opencv/modules/core/src/parallel.cpp:590:9
    #5 0x7fc9f2949a99 in cv::parallel_for_(cv::Range const&, cv::ParallelLoopBody const&, double) /src/opencv/modules/core/src/parallel.cpp:518
    #6 0x7fc9fc673269 in cv::CascadeClassifierImpl::detectMultiScaleNoGrouping(cv::_InputArray const&, std::vector<cv::Rect_<int>, std::allocator<cv::Rect_<int> > >&, std::vector<int, std::allocator<int> >&, std::vector<double, std::allocator<double> >&, double, cv::Size_<int>, cv::Size_<int>, bool) /src/opencv/modules/objdetect/src/cascadedetect.cpp:1346:9
    #7 0x7fc9fc677cb8 in cv::CascadeClassifierImpl::detectMultiScale(cv::_InputArray const&, std::vector<cv::Rect_<int>, std::allocator<cv::Rect_<int> > >&, std::vector<int, std::allocator<int> >&, std::vector<double, std::allocator<double> >&, double, int, int, cv::Size_<int>, cv::Size_<int>, bool) /src/opencv/modules/objdetect/src/cascadedetect.cpp:1365:5
    #8 0x7fc9fc6786ee in cv::CascadeClassifierImpl::detectMultiScale(cv::_InputArray const&, std::vector<cv::Rect_<int>, std::allocator<cv::Rect_<int> > >&, double, int, int, cv::Size_<int>, cv::Size_<int>) /src/opencv/modules/objdetect/src/cascadedetect.cpp:1386:5
    #9 0x7fc9fc686370 in cv::CascadeClassifier::detectMultiScale(cv::_InputArray const&, std::vector<cv::Rect_<int>, std::allocator<cv::Rect_<int> > >&, double, int, int, cv::Size_<int>, cv::Size_<int>) /src/opencv/modules/objdetect/src/cascadedetect.cpp:1659:9
    #10 0x51d4bc in main /work/funcs/classifier.cc:34:24
    #11 0x7fc9f0c1182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==9176==ABORTING

others

from fuzz project pwd-opencv-classifier-00
crash name pwd-opencv-classifier-00-00000253-20190703.xml
Auto-generated by pyspider at 2019-07-03 07:57:31

please send email to  teamseri0us360@gmail.com if you have any questions.

Steps to reproduce

commandline

classifier /work/funcs/appname.bmp @@

poc2.tar.gz