cv::rectangle with very large cv::Rect triggers undefined behavior sanitizer

[vrabaud]

System information (version)

• OpenCV => 4.5.4
• Operating System / Platform => Linux
• Compiler => clang 12

Detailed description

cv::rectangle with a cv::Rect where x and width are std::numeric_limits::max() creates a problem because it calls Rect::br() which overflows (x+width does not fit in an int and overflows).
The external call to cv::rectangle is still valid, the internal call to cv::Rect::br() not. What should be the proper solution ?

• not allow the creation of a cv::Rect with such big values because br() (and area() ) will overflow ?
• only warn of overflows when calling br() ?
• have br() return std::numeric_limits::max() ? (probably not desirable because inaccurate, then again what is returned now is wrong)
• create a safe_br() function that caps and not overflows ?
• only fix cv::rectangle for now. Then again, other functions will probably fail.

Issue submission checklist

• I report the issue, it's not a question
• I checked the problem with documentation, FAQ, open issues,
  forum.opencv.org, Stack Overflow, etc and have not found solution
• I updated to latest OpenCV version and the issue is still there

[alalek]

OpenCV should stay efficient library. At least in Release mode.
Overflow limitations of integer arithmetic are well known in C++ world. So all of this is expected.

There is always some space of undocumented behavior for some input values. Like cvRound(1e30) => INT_MIN.

[alalek]

IMHO, OpenCV don't need RectOfIntegersSafeAndSecure. Again, OpenCV should be efficient.

We just need to document and declare that used values for Rect should not exceed some threshold, which would be enough for CV tasks. Exceeding threshold may lead to undefined behavior due to integer overflows/underflows.

Creation of Rect rc(0,0, std::numeric_limits::max(), std::numeric_limits::max()); should be considered as wrong.
Instead of std::numeric_limits::max() use processed frame dimension values.

Other "advanced usages" should go to floating-point computations with its own rules and tricks like Inf/NaNs.

[vpisarev]

@vrabaud, if I remember our conversation correctly, in the case when a rectangle needs to be checked for emptiness, Rect::empty() should be used.

In general, it's recommended not to create a rectangle with extreme coordinate values

[vrabaud]

@vpisarev, the function actually uses br(), cf

opencv/modules/imgproc/src/drawing.cpp

Line 1870 in 02f0887

rectangle( img, rec.tl(), rec.br() - Point(1<<shift,1<<shift),

I agree that it should be considered as wrong and can be documented as such. Then again, somebody will do it at some point, and most likely for malicious purposes. If we can make OpenCV safer and not compromise the speed, we should do it imho.

What I am proposing here is to simply crop the input rectangle to just around the input image using the safe operator&= from #21074 and then proceed as usual. The cropping speed impact is little compared to the complexity of drawing a line.

[seanm]

Or at the very least an assert could be added to catch this issue when creating a crazy rectangle. Then Release mode efficiency is unaffected, but the programmer is still informed of his error as early as possible.