imgproc: OOB in resize(), 3 channels, INTER_LINEAR #16137
Description
relates #15257
Reproducer:
Mat src(Size(640, 480), CV_8UC3, Scalar::all(0));
Mat dst;
resize(src, dst, Size(1280, 720), 0, 0, INTER_LINEAR);
Details:
Reproducer (Linux): https://github.com/alalek/opencv/commits/reproducer_16137 (2 commits)
GDB log (x86_64)
CMake flags: -DCMAKE_BUILD_TYPE=Debug
$ ./bin/opencv_test_imgproc --test_threads=1 --gtest_filter=*16137
...
[ RUN ] Imgproc_resize.regression_16137
...
Thread 1 "opencv_test_img" received signal SIGSEGV, Segmentation fault.
0x00007ffff5e769ec in cv::hal_baseline::v_load_expand_q (ptr=0x7fffec156ffd "") at modules/core/include/opencv2/core/hal/intrin_sse.hpp:1899
1899 OPENCV_HAL_IMPL_SSE_EXPAND_Q(v_uint32x4, uchar, _v128_cvtepu8_epi32)
(gdb) bt
#0 0x00007ffff5e769ec in cv::hal_baseline::v_load_expand_q(unsigned char const*) (ptr=0x7fffec156ffd "") at modules/core/include/opencv2/core/hal/intrin_sse.hpp:1899
#1 0x00007ffff6134fd9 in cv::HResizeLinearVecU8_X4::operator()(unsigned char const**, unsigned char**, int, int const*, unsigned char const*, int, int, int, int, int) const
(this=0x7fffffffb833, src=0x7fffffffb9b8, _dst=0x7fffffffb938, count=1, xofs=0x138e130, _alpha=0x1392870 "", cn=3, xmax=3837) at modules/imgproc/src/resize.cpp:1659
#2 0x00007ffff61682b9 in cv::HResizeLinear<unsigned char, int, short, 2048, cv::HResizeLinearVecU8_X4>::operator()(unsigned char const**, int**, int, int const*, short const*, int, int, int, int, int) const
(this=0x7fffffffbe6b, src=0x7fffffffb9b8, dst=0x7fffffffb938, count=1, xofs=0x138e130, alpha=0x1392870, swidth=1920, dwidth=3840, cn=3, xmin=3, xmax=3837) at modules/imgproc/src/resize.cpp:1815
#3 0x00007ffff615f97a in cv::resizeGeneric_Invoker<cv::HResizeLinear<unsigned char, int, short, 2048, cv::HResizeLinearVecU8_X4>, cv::VResizeLinear<unsigned char, int, short, cv::FixedPtCast<int, unsigned char, 22>, cv::VResizeLinearVec_32s8u> >::operator()(cv::Range const&) const (this=0x7fffffffbfd0, range=...) at modules/imgproc/src/resize.cpp:2152
#4 0x00007ffff4e4feeb in parallel_for_impl(cv::Range const&, cv::ParallelLoopBody const&, double) (range=..., body=..., nstripes=14.0625) at modules/core/src/parallel.cpp:563
#5 0x00007ffff4e4fcd5 in cv::parallel_for_(cv::Range const&, cv::ParallelLoopBody const&, double) (range=..., body=..., nstripes=14.0625) at modules/core/src/parallel.cpp:471
#6 0x00007ffff613e027 in cv::resizeGeneric_<cv::HResizeLinear<unsigned char, int, short, 2048, cv::HResizeLinearVecU8_X4>, cv::VResizeLinear<unsigned char, int, short, cv::FixedPtCast<int, unsigned char, 22>, cv::VResizeLinearVec_32s8u> >(cv::Mat const&, cv::Mat&, int const*, void const*, int const*, void const*, int, int, int) (src=..., dst=..., xofs=0x138e130, _alpha=0x1392870, yofs=0x1391d30, _beta=0x1396470, xmin=3, xmax=3837, ksize=2)
at modules/imgproc/src/resize.cpp:2189
#7 0x00007ffff613c4d3 in cv::hal::resize(int, unsigned char const*, unsigned long, int, int, unsigned char*, unsigned long, int, int, double, double, int)
(src_type=16, src_data=0x7fffec076000 "", src_step=1920, src_width=640, src_height=480, dst_data=0x7fffe17cf000 "", dst_step=3840, dst_width=1280, dst_height=720, inv_scale_x=2, inv_scale_y=1.5, interpolation=1)
at modules/imgproc/src/resize.cpp:4014
#8 0x00007ffff613ccf2 in cv::resize(cv::_InputArray const&, cv::_OutputArray const&, cv::Size_<int>, double, double, int) (_src=..., _dst=..., dsize=..., inv_scale_x=2, inv_scale_y=1.5, interpolation=1)
at modules/imgproc/src/resize.cpp:4067
#9 0x00000000006c0dc4 in opencv_test::(anonymous namespace)::Imgproc_resize_regression_16137_Test::Body() (this=0x1329da0) at modules/imgproc/test/test_imgwarp.cpp:1916
...
(gdb) disassemble
Dump of assembler code for function cv::hal_baseline::v_load_expand_q(unsigned char const*):
0x00007ffff5e769de <+0>: sub $0x58,%rsp
0x00007ffff5e769e2 <+4>: mov %rdi,0x8(%rsp)
0x00007ffff5e769e7 <+9>: mov 0x8(%rsp),%rax
=> 0x00007ffff5e769ec <+14>: mov (%rax),%eax
0x00007ffff5e769ee <+16>: mov %eax,0x4c(%rsp)
...
(gdb) p/x $rax
$1 = 0x7fffec156ffd
(gdb) f 1
#1 0x00007ffff6134fd9 in cv::HResizeLinearVecU8_X4::operator() (this=0x7fffffffb833, src=0x7fffffffb9b8, _dst=0x7fffffffb938, count=1, xofs=0x138e130, _alpha=0x1392870 "", cn=3, xmax=3837)
at modules/imgproc/src/resize.cpp:1659
1659 v_store(&D[dx], v_dotprod(v_reinterpret_as_s16(v_load_expand_q(S+xofs[dx]) | (v_load_expand_q(S+xofs[dx]+cn)<<16)), a));
(gdb) p S+xofs[dx]+cn
$2 = (const uchar *) 0x7fffec156ffd ""
(gdb) p S
$3 = (const uchar *) 0x7fffec156880 ""
(gdb) p xofs[dx]
$4 = 1914
(gdb) p cn
$5 = 3
(gdb) p dx
$6 = 3831
Valgrind
==13792== Invalid read of size 4
==13792== at 0x565EF2B: _mm_set_epi32 (emmintrin.h:603)
==13792== by 0x565EF2B: _mm_cvtsi32_si128 (emmintrin.h:1503)
==13792== by 0x565EF2B: v_load_expand_q (intrin_sse.hpp:1899)
==13792== by 0x565EF2B: cv::HResizeLinearVecU8_X4::operator()(unsigned char const**, unsigned char**, int, int const*, unsigned char const*, int, int, int, int, int) const (resize.cpp:1659)
==13792== by 0x565F8FA: operator() (resize.cpp:1815)
==13792== by 0x565F8FA: cv::resizeGeneric_Invoker<cv::HResizeLinear<unsigned char, int, short, 2048, cv::HResizeLinearVecU8_X4>, cv::VResizeLinear<unsigned char, int, short, cv::FixedPtCast<int, unsigned char, 22>, cv::VResizeLinearVec_32s8u> >::operator()(cv::Range const&) const (resize.cpp:2152)
==13792== by 0x5BB1E3B: parallel_for_impl (parallel.cpp:498)
==13792== by 0x5BB1E3B: cv::parallel_for_(cv::Range const&, cv::ParallelLoopBody const&, double) (parallel.cpp:471)
==13792== by 0x56552CE: void cv::resizeGeneric_<cv::HResizeLinear<unsigned char, int, short, 2048, cv::HResizeLinearVecU8_X4>, cv::VResizeLinear<unsigned char, int, short, cv::FixedPtCast<int, unsigned char, 22>, cv::VResizeLinearVec_32s8u> >(cv::Mat const&, cv::Mat&, int const*, void const*, int const*, void const*, int, int, int) (resize.cpp:2189)
==13792== by 0x56617B2: cv::hal::resize(int, unsigned char const*, unsigned long, int, int, unsigned char*, unsigned long, int, int, double, double, int) (resize.cpp:4014)
==13792== by 0x566212D: cv::resize(cv::_InputArray const&, cv::_OutputArray const&, cv::Size_<int>, double, double, int) (resize.cpp:4067)
==13792== by 0x5662365: cvResize (resize.cpp:4076)
==13792== by 0x21AD61: opencv_test::(anonymous namespace)::CV_ResizeTest::run_func() (test_imgwarp.cpp:262)
==13792== by 0x267B43: cvtest::BaseTest::run(int) (ts.cpp:361)
==13792== by 0x265B75: cvtest::BaseTest::safe_run(int) (ts.cpp:300)
==13792== by 0x22161A: opencv_test::(anonymous namespace)::Imgproc_Resize_accuracy_Test::Body() (test_imgwarp.cpp:1614)
==13792== by 0x22052B: opencv_test::(anonymous namespace)::Imgproc_Resize_accuracy_Test::TestBody() (test_imgwarp.cpp:1614)
==13792== Address 0x1b155b8d is 333 bytes inside a block of size 336 alloc'd
==13792== at 0x4C31E76: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13792== by 0x4C31F91: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==13792== by 0x5A2E94E: cv::fastMalloc(unsigned long) (alloc.cpp:135)
==13792== by 0x5A2EAA2: cvAlloc (alloc.cpp:226)
==13792== by 0x5A58307: cvCreateData (array.cpp:832)
==13792== by 0x5A5E9DD: cvCreateImage (array.cpp:2903)
==13792== by 0x26EC2F: cvtest::ArrayTest::prepare_test_case(int) (ts_arrtest.cpp:190)
==13792== by 0x22D6C3: opencv_test::(anonymous namespace)::CV_ImgWarpBaseTest::prepare_test_case(int) (test_imgwarp.cpp:123)
==13792== by 0x267B20: cvtest::BaseTest::run(int) (ts.cpp:354)
==13792== by 0x265B75: cvtest::BaseTest::safe_run(int) (ts.cpp:300)
==13792== by 0x22161A: opencv_test::(anonymous namespace)::Imgproc_Resize_accuracy_Test::Body() (test_imgwarp.cpp:1614)
==13792== by 0x22052B: opencv_test::(anonymous namespace)::Imgproc_Resize_accuracy_Test::TestBody() (test_imgwarp.cpp:1614)```
</details>