OOB in opencv_test_imgcodecs

[c0d3xpl0it]

We found OOB in opencv_test_imgcodecs binary and OpenCV is complied with clang enabling ASAN.

Machine Setup

Machine : Ubuntu 16.04.3 LTS
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++  (ver 3.8.0)

Running the binary

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_imgcodecs
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[==========] Running 140 tests from 19 test cases.
[----------] Global test environment set-up.
[----------] 11 tests from Imgcodecs_Tiff
[ RUN      ] Imgcodecs_Tiff.decode_tile16384x16384

//SNIPPED//

[----------] 1 test from Imgcodecs_Tiff_Modes
[ RUN      ] Imgcodecs_Tiff_Modes.write_multipage
ASAN:DEADLYSIGNAL
=================================================================
==24899==ERROR: AddressSanitizer: FPE on unknown address 0x7fb08b02b755 (pc 0x7fb08b02b755 bp 0x7ffc71db69f0 sp 0x7ffc71db3360 T0)
    #0 0x7fb08b02b754  (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_imgcodecs.so.4.1+0x103754)
    #1 0x7fb08afc6740  (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_imgcodecs.so.4.1+0x9e740)
    #2 0x5363b0  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x5363b0)
    #3 0x5350e2  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x5350e2)
    #4 0x6282e6  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x6282e6)
    #5 0x628047  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x628047)
    #6 0x62be57  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x62be57)
    #7 0x62da39  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x62da39)
    #8 0x65481c  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x65481c)
    #9 0x653536  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x653536)
    #10 0x652ff6  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x652ff6)
    #11 0x5e6d6a  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x5e6d6a)
    #12 0x7fb0861ec82f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x43f368  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x43f368)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_imgcodecs.so.4.1+0x103754)
==24899==ABORTING

[alalek]

Please add required information: #15558 (comment)

[c0d3xpl0it]

I just reproduced with fresh build.

Compilation Steps on Ubuntu 16.04.3 LTS

mkdir opencv_build
cd opencv_build/
git clone https://github.com/opencv/opencv.git
git clone https://github.com/opencv/opencv_contrib.git
git clone https://github.com/opencv/opencv_extra.git
cd opencv
mkdir build && cd build
export CC=/usr/bin/clang
export CXX=/usr/bin/clang++
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr/local -DINSTALL_C_EXAMPLES=ON -DOPENCV_GENERATE_PKGCONFIG=ON -DOPENCV_GENERATE_PKGCONFIG=ON -DCMAKE_CXX_FLAGS=-fsanitize=address -DCMAKE_C_FLAGS=-fsanitize=address -DOPENCV_EXTRA_MODULES_PATH=../../opencv_contrib/modules \ -DOPENCV_ENABLE_NONFREE=True BUILD_WITH_DEBUG_INFO=1 ..
ASAN_OPTIONS=symbolize=1:detect_leaks=1 ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.8/bin/llvm-symbolizer make -j8

Showing Opencv version, Testdata path and running the binary

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_version
4.1.2-pre

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ env | grep test
OPENCV_TEST_DATA_PATH=../../../opencv_extra/testdata/	

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_imgcodecs
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[==========] Running 140 tests from 19 test cases.
[----------] Global test environment set-up.
[----------] 11 tests from Imgcodecs_Tiff
[ RUN      ] Imgcodecs_Tiff.decode_tile16384x16384
[       OK ] Imgcodecs_Tiff.decode_tile16384x16384 (9747 ms)
[ RUN      ] Imgcodecs_Tiff.write_read_16bit_big_little_endian
[       OK ] Imgcodecs_Tiff.write_read_16bit_big_little_endian (1 ms)

//SNIPPED//

[----------] Global test environment tear-down
[==========] 140 tests from 19 test cases ran. (43392 ms total)
[  PASSED  ] 140 tests.

=================================================================
==2691==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x50dac0  (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x50dac0)
    #1 0x7fe071309366  (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_imgcodecs.so.4.1+0x864366)

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin

[c0d3xpl0it]

Below is the output with and without Testdata.

Build type: Release
OpenCV version: 4.1.2-pre
OS: Linux 4.4.0-87-generic #110-Ubuntu
OpenCV VCS version: 4.1.1-267-ga74fe2e

Without Testdata

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ env | grep test
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_version
4.1.2-pre
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_imgcodecs
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/local/bin/afl-clang-fast++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[==========] Running 140 tests from 19 test cases.
[----------] Global test environment set-up.
[----------] 11 tests from Imgcodecs_Tiff
[ RUN      ] Imgcodecs_Tiff.decode_tile16384x16384
[       OK ] Imgcodecs_Tiff.decode_tile16384x16384 (17006 ms)
[ RUN      ] Imgcodecs_Tiff.write_read_16bit_big_little_endian
[       OK ] Imgcodecs_Tiff.write_read_16bit_big_little_endian (1 ms)
[ RUN      ] Imgcodecs_Tiff.decode_tile_remainder
/home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:107: Failure
Value of: img.empty()
  Actual: true
Expected: false
[  FAILED  ] Imgcodecs_Tiff.decode_tile_remainder (0 ms)
[ RUN      ] Imgcodecs_Tiff.decode_infinite_rowsperstrip
[       OK ] Imgcodecs_Tiff.decode_infinite_rowsperstrip (1 ms)
[ RUN      ] Imgcodecs_Tiff.readWrite_32FC1
/home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:156: Failure
Value of: img.empty()
  Actual: true
Expected: false
[  FAILED  ] Imgcodecs_Tiff.readWrite_32FC1 (0 ms)
[ RUN      ] Imgcodecs_Tiff.readWrite_64FC1
/home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:173: Failure
Value of: img.empty()
  Actual: true
Expected: false
[  FAILED  ] Imgcodecs_Tiff.readWrite_64FC1 (0 ms)
[ RUN      ] Imgcodecs_Tiff.readWrite_32FC3_SGILOG
/home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:190: Failure
Value of: img.empty()
  Actual: true
Expected: false
[  FAILED  ] Imgcodecs_Tiff.readWrite_32FC3_SGILOG (0 ms)
[ RUN      ] Imgcodecs_Tiff.readWrite_32FC3_RAW
/home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:207: Failure
Value of: img.empty()
  Actual: true
Expected: false
[  FAILED  ] Imgcodecs_Tiff.readWrite_32FC3_RAW (0 ms)
[ RUN      ] Imgcodecs_Tiff.imdecode_no_exception_temporary_file_removed
/home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:304: Failure
Value of: img.empty()
  Actual: true
Expected: false
[  FAILED  ] Imgcodecs_Tiff.imdecode_no_exception_temporary_file_removed (0 ms)
[ RUN      ] Imgcodecs_Tiff.decode_black_and_write_image_pr12989
unknown file: Failure
C++ exception with description "OpenCV(4.1.2-pre) /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts.cpp:1015: error: (-2:Unspecified error) OpenCV tests: Can't find required data file: readwrite/bitsperpixel1.tiff in function 'findData'
" thrown in the test body.
[  FAILED  ] Imgcodecs_Tiff.decode_black_and_write_image_pr12989 (0 ms)
[ RUN      ] Imgcodecs_Tiff.decode_black_and_write_image_pr12989_default
unknown file: Failure
C++ exception with description "OpenCV(4.1.2-pre) /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts.cpp:1015: error: (-2:Unspecified error) OpenCV tests: Can't find required data file: readwrite/bitsperpixel1.tiff in function 'findData'
" thrown in the test body.
[  FAILED  ] Imgcodecs_Tiff.decode_black_and_write_image_pr12989_default (0 ms)
[----------] 11 tests from Imgcodecs_Tiff (17009 ms total)

[----------] 1 test from Imgcodecs_Tiff_Modes
[ RUN      ] Imgcodecs_Tiff_Modes.write_multipage
ASAN:DEADLYSIGNAL
=================================================================
==12388==ERROR: AddressSanitizer: FPE on unknown address 0x7fa5e38528f1 (pc 0x7fa5e38528f1 bp 0x7ffdd8ef2c30 sp 0x7ffdd8eef580 T0)
    #0 0x7fa5e38528f0 in cv::TiffEncoder::writeLibTiff(std::vector<cv::Mat, std::allocator<cv::Mat> > const&, std::vector<int, std::allocator<int> > const&) /home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/src/grfmt_tiff.cpp:887:44
    #1 0x7fa5e37a810b in cv::imwrite_(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<cv::Mat, std::allocator<cv::Mat> > const&, std::vector<int, std::allocator<int> > const&, bool) /home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/src/loadsave.cpp:694:20
    #2 0x7fa5e37a810b in cv::imwrite(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, cv::_InputArray const&, std::vector<int, std::allocator<int> > const&) /home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/src/loadsave.cpp:720
    #3 0x5613e5 in opencv_test::(anonymous namespace)::Imgcodecs_Tiff_Modes_write_multipage_Test::Body() /home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:286:16
    #4 0x55f997 in opencv_test::(anonymous namespace)::Imgcodecs_Tiff_Modes_write_multipage_Test::TestBody() /home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_tiff.cpp:265:1
    #5 0x711c52 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3917:10
    #6 0x711c52 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3953
    #7 0x7117c3 in testing::Test::Run() /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3991:5
    #8 0x718e11 in testing::TestInfo::Run() /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:4167:5
    #9 0x71c197 in testing::TestCase::Run() /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:4285:5
    #10 0x763574 in testing::internal::UnitTestImpl::RunAllTests() /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:6660:11
    #11 0x7612fc in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3917:10
    #12 0x7612fc in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:3953
    #13 0x760a8e in testing::UnitTest::Run() /home/fuzzer/victim/opencv_build/opencv/modules/ts/src/ts_gtest.cpp:6269:10
    #14 0x69ac70 in RUN_ALL_TESTS() /home/fuzzer/victim/opencv_build/opencv/modules/ts/include/opencv2/ts/ts_gtest.h:22224:10
    #15 0x69ac70 in main /home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/test/test_main.cpp:10
    #16 0x7fa5ddba682f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #17 0x44acb8 in _start (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x44acb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/fuzzer/victim/opencv_build/opencv/modules/imgcodecs/src/grfmt_tiff.cpp:887:44 in cv::TiffEncoder::writeLibTiff(std::vector<cv::Mat, std::allocator<cv::Mat> > const&, std::vector<int, std::allocator<int> > const&)
==12388==ABORTING
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$

With Testdata

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ env | grep test
OPENCV_TEST_DATA_PATH=../../../opencv_extra/testdata/

fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_imgcodecs
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/local/bin/afl-clang-fast++  (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[0;32m[==========] [mRunning 140 tests from 19 test cases.
[0;32m[----------] [mGlobal test environment set-up.
[0;32m[----------] [m11 tests from Imgcodecs_Tiff
[0;32m[ RUN      ] [mImgcodecs_Tiff.decode_tile16384x16384
[0;32m[       OK ] [mImgcodecs_Tiff.decode_tile16384x16384 (17644 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.write_read_16bit_big_little_endian
[0;32m[       OK ] [mImgcodecs_Tiff.write_read_16bit_big_little_endian (1 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.decode_tile_remainder
[0;32m[       OK ] [mImgcodecs_Tiff.decode_tile_remainder (12 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.decode_infinite_rowsperstrip
[0;32m[       OK ] [mImgcodecs_Tiff.decode_infinite_rowsperstrip (0 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.readWrite_32FC1
[0;32m[       OK ] [mImgcodecs_Tiff.readWrite_32FC1 (2 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.readWrite_64FC1
[0;32m[       OK ] [mImgcodecs_Tiff.readWrite_64FC1 (2 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.readWrite_32FC3_SGILOG
[0;32m[       OK ] [mImgcodecs_Tiff.readWrite_32FC3_SGILOG (6 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.readWrite_32FC3_RAW
[0;32m[       OK ] [mImgcodecs_Tiff.readWrite_32FC3_RAW (4 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.imdecode_no_exception_temporary_file_removed
[0;32m[       OK ] [mImgcodecs_Tiff.imdecode_no_exception_temporary_file_removed (91 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.decode_black_and_write_image_pr12989
[0;32m[       OK ] [mImgcodecs_Tiff.decode_black_and_write_image_pr12989 (2 ms)
[0;32m[ RUN      ] [mImgcodecs_Tiff.decode_black_and_write_image_pr12989_default
[0;32m[       OK ] [mImgcodecs_Tiff.decode_black_and_write_image_pr12989_default (1 ms)
[0;32m[----------] [m11 tests from Imgcodecs_Tiff (17765 ms total)


//SNIPPED//

[----------] Global test environment tear-down
[==========] 140 tests from 19 test cases ran. (97668 ms total)
[  PASSED  ] 140 tests.

=================================================================
==12393==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x519410 in operator new(unsigned long) (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgcodecs+0x519410)
    #1 0x7f91eccd429a in IlmThread_opencv::ThreadPool::ThreadPool(unsigned int) /home/fuzzer/victim/opencv_build/opencv/3rdparty/openexr/IlmThread/IlmThreadPool.cpp:758:29
    #2 0x7f91eccd429a in IlmThread_opencv::ThreadPool::globalThreadPool() /home/fuzzer/victim/opencv_build/opencv/3rdparty/openexr/IlmThread/IlmThreadPool.cpp:838

SUMMARY: AddressSanitizer: 8 byte(s) leaked in 1 allocation(s).
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$

[c0d3xpl0it]

@alalek for this issues category: vulnerability is not applicable ?

[alalek]

Problem is observed if application tries to save empty image (which makes no sense - application itself is malformed initially).