We found heap-buffer-overflow in opencv_test_imgproc binary and OpenCV is complied with clang enabling ASAN.
Machine : Ubuntu 16.04.3 LTS
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++ (ver 3.8.0)
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$ ./opencv_test_imgproc
CTEST_FULL_OUTPUT
OpenCV version: 4.1.2-pre
OpenCV VCS version: 4.1.1-267-ga74fe2e
Build type: Release
Compiler: /usr/bin/clang++ (ver 3.8.0)
Parallel framework: pthreads
CPU features: SSE SSE2 SSE3 *SSE4.1 *SSE4.2 *FP16 *AVX *AVX2
Intel(R) IPP version: ippIP AVX2 (l9) 2019.0.0 Gold (-) Jul 24 2018
OpenCL is disabled
TEST: Skip tests with tags: 'mem_6gb', 'verylong'
[==========] Running 9941 tests from 191 test cases.
[----------] Global test environment set-up.
[----------] 1 test from Imgproc_MatchTemplate
[ RUN ] Imgproc_MatchTemplate.accuracy
//SNIPPED//
[ OK ] OCL_ImgprocPyr/PyrDown.Mat/93 (1 ms)
[ RUN ] OCL_ImgprocPyr/PyrDown.Mat/94, where GetParam() = (CV_32F, Channels(4), BORDER_REFLECT_101, false)
[ OK ] OCL_ImgprocPyr/PyrDown.Mat/94 (0 ms)
[ RUN ] OCL_ImgprocPyr/PyrDown.Mat/95, where GetParam() = (CV_32F, Channels(4), BORDER_REFLECT_101, true)
[ OK ] OCL_ImgprocPyr/PyrDown.Mat/95 (1 ms)
[ RUN ] OCL_ImgprocPyr/PyrDown.Mat/96, where GetParam() = (CV_64F, Channels(1), BORDER_REPLICATE, false)
=================================================================
==17377==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000758e5f at pc 0x7ff4bf3e7c29 bp 0x7ffec07d8bd0 sp 0x7ffec07d8bc8
READ of size 16 at 0x61e000758e5f thread T0
#0 0x7ff4bf3e7c28 (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_imgproc.so.4.1+0x2b8c28)
#1 0x7ff4bf3d0102 (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_imgproc.so.4.1+0x2a1102)
#2 0xafdb27 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xafdb27)
#3 0xafd422 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xafd422)
#4 0xed92f6 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xed92f6)
#5 0xed9057 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xed9057)
#6 0xedce67 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xedce67)
#7 0xedea49 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xedea49)
#8 0xf0582c (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xf0582c)
#9 0xf04546 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xf04546)
#10 0xf04006 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xf04006)
#11 0xe10b54 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xe10b54)
#12 0x7ff4bc9e382f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x4d0108 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0x4d0108)
0x61e000758e5f is located 7 bytes to the right of 2520-byte region [0x61e000758480,0x61e000758e58)
allocated by thread T0 here:
#0 0x570980 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0x570980)
#1 0x7ff4bd94c40d (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_core.so.4.1+0x62740d)
#2 0x7ff4bd69898b (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_core.so.4.1+0x37398b)
#3 0x7ff4bd6806b1 (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_core.so.4.1+0x35b6b1)
#4 0xe316b1 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xe316b1)
#5 0xac05e3 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xac05e3)
#6 0xafe2de (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xafe2de)
#7 0xafda15 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xafda15)
#8 0xafd422 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xafd422)
#9 0xed92f6 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xed92f6)
#10 0xed9057 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xed9057)
#11 0xedea49 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xedea49)
#12 0xf0582c (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xf0582c)
#13 0xf04546 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xf04546)
#14 0xf04006 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xf04006)
#15 0xe10b54 (/home/fuzzer/victim/opencv_build/opencv/build/bin/opencv_test_imgproc+0xe10b54)
#16 0x7ff4bc9e382f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzzer/victim/opencv_build/opencv/build/lib/libopencv_imgproc.so.4.1+0x2b8c28)
Shadow bytes around the buggy address:
0x0c3c800e3170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800e3180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800e3190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800e31a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800e31b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c800e31c0: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
0x0c3c800e31d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c800e31e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c800e31f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c800e3200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c800e3210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17377==ABORTING
fuzzer@fuzzer:~/victim/opencv_build/opencv/build/bin$
We found heap-buffer-overflow in opencv_test_imgproc binary and OpenCV is complied with clang enabling ASAN.
Machine Setup
Running the binary