OOB in opencv_test_core

[c0d3xpl0it]

We found OOB in opencv_test_core binary and OpenCV is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++  (ver 3.8.0)

Running the binary

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_core
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[==========] Running 11409 tests from 239 test cases.
[----------] Global test environment set-up.
[----------] 16 tests from CommandLineParser
[ RUN      ] CommandLineParser.testFailure
[       OK ] CommandLineParser.testFailure (0 ms)
[ RUN      ] CommandLineParser.testHas_noValues
[       OK ] CommandLineParser.testHas_noValues (0 ms)

// SNIPPED //

/home/fuzzer/victim/opencv_build/opencv/modules/core/test/test_io.cpp:712: Failure
Expected equality of these values:
  _2d_in.dims
    Which is: 0
  _2d_out.dims
    Which is: 2
ASAN:DEADLYSIGNAL
=================================================================
==8986==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000b87e48 bp 0x7ffde22b6030 sp 0x7ffde22b36c0 T0)
    #0 0xb87e47  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0xb87e47)
    #1 0xb7ef22  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0xb7ef22)
    #2 0x23201e6  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x23201e6)
    #3 0x231ff47  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x231ff47)
    #4 0x2323d57  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x2323d57)
    #5 0x2325939  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x2325939)
    #6 0x234c71c  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x234c71c)
    #7 0x234b436  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x234b436)
    #8 0x234aef6  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x234aef6)
    #9 0xfd72b4  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0xfd72b4)
    #10 0x7f706239b82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x53c8b8  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0x53c8b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_core+0xb87e47)
==8986==ABORTING

[alalek]

Expected equality of these values:
  _2d_in.dims
    Which is: 0
  _2d_out.dims
    Which is: 2

This message means that test fails and test make bailout (without debug information stack trace looks useless).
Double check that you properly configure testdata (OPENCV_TEST_DATA_PATH=<opencv_extra>/testdata)

Please dump proper name of the last launched test, like

[ RUN      ] CommandLineParser.testHas_noValues

and dump of build configuration via getBuildInformation() or opencv_version -v

Rebuild with debug information: add -g compiler flag or via cmake flag BUILD_WITH_DEBUG_INFO=1

[c0d3xpl0it]

Below is the output with and without Testdata.

Build type: Release
OpenCV version: 4.1.2-pre
OS: Linux 4.4.0-87-generic #110-Ubuntu
OpenCV VCS version: 4.1.1-267-ga74fe2e

Without Testdata

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_core
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/local/bin/afl-clang-fast++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[0;32m[==========] [mRunning 11409 tests from 239 test cases.
[0;32m[----------] [mGlobal test environment set-up.
[0;32m[----------] [m16 tests from CommandLineParser
[0;32m[ RUN      ] [mCommandLineParser.testFailure
[0;32m[       OK ] [mCommandLineParser.testFailure (1 ms)

//SNIPPED//

ASAN:DEADLYSIGNAL
=================================================================
[1m[31m==12461==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000fb9a0f bp 0x7ffe82f466f0 sp 0x7ffe82f43d80 T0)
[1m[0m    #0 0xfb9a0e in bool cv::operator==<unsigned char, 3, 1>(cv::Matx<unsigned char, 3, 1> const&, cv::Matx<unsigned char, 3, 1> const&) /home/entropy/victim/no-afl/opencv_build/opencv/modules/core/include/opencv2/core/matx.hpp:1295:13
    #1 0xfb9a0e in testing::AssertionResult testing::internal::CmpHelperEQ<cv::Vec<unsigned char, 3>, cv::Vec<unsigned char, 3> >(char const*, char const*, cv::Vec<unsigned char, 3> const&, cv::Vec<unsigned char, 3> const&) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/include/opencv2/ts/ts_gtest.h:21321
    #2 0xfb9a0e in testing::AssertionResult testing::internal::EqHelper<false>::Compare<cv::Vec<unsigned char, 3>, cv::Vec<unsigned char, 3> >(char const*, char const*, cv::Vec<unsigned char, 3> const&, cv::Vec<unsigned char, 3> const&) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/include/opencv2/ts/ts_gtest.h:21349
    #3 0xfb9a0e in opencv_test::(anonymous namespace)::test_filestorage_basic(int, char const*, bool, bool) /home/entropy/victim/no-afl/opencv_build/opencv/modules/core/test/test_io.cpp:720
    #4 0xfaa907 in opencv_test::(anonymous namespace)::Core_InputOutput_filestorage_base64_basic_read_XML_Test::TestBody() /home/entropy/victim/no-afl/opencv_build/opencv/modules/core/test/test_io.cpp:748:1
    #5 0x3ae16a2 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3917:10
    #6 0x3ae16a2 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3953
    #7 0x3ae1213 in testing::Test::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3991:5
    #8 0x3ae8861 in testing::TestInfo::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:4167:5
    #9 0x3aebbe7 in testing::TestCase::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:4285:5
    #10 0x3b32fc4 in testing::internal::UnitTestImpl::RunAllTests() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:6660:11
    #11 0x3b30d4c in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3917:10
    #12 0x3b30d4c in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3953
    #13 0x3b304de in testing::UnitTest::Run() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:6269:10
    #14 0x16b9616 in RUN_ALL_TESTS() /home/entropy/victim/no-afl/opencv_build/opencv/modules/ts/include/opencv2/ts/ts_gtest.h:22224:10
    #15 0x16b9616 in main /home/entropy/victim/no-afl/opencv_build/opencv/modules/core/test/test_main.cpp:10
    #16 0x7ff9a2ddc82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #17 0x5b87a8 in _start (/home/entropy/victim/no-afl/opencv_build/opencv/build/bin/opencv_test_core+0x5b87a8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/entropy/victim/no-afl/opencv_build/opencv/modules/core/include/opencv2/core/matx.hpp:1295:13 in bool cv::operator==<unsigned char, 3, 1>(cv::Matx<unsigned char, 3, 1> const&, cv::Matx<unsigned char, 3, 1> const&)
==12461==ABORTING

With Testdata
All tests are successful and no error is thrown.

[alalek]

There is bug in test code.
It tries to access Mat elements of empty Mat (no testdata found).

[c0d3xpl0it]

@alalek for this issues category: vulnerability is not applicable ?

[alalek]

No - there is bug in test code.