FileStorage constructor: BufferOverflow #21851
Description
System information (version)
- OpenCV => commit: b2e20a8
- Operating System / Platform => ubuntu 18.04
- Compiler => clang++ 10.0.1
Detailed description
Steps to reproduce
##### Issue submission checklist
- [X] I report the issue, it's not a question
<!--
OpenCV team works with forum.opencv.org, Stack Overflow and other communities
to discuss problems. Tickets with questions without a real issue statement will be
closed.
-->
- [ X] I checked the problem with documentation, FAQ, open issues,
forum.opencv.org, Stack Overflow, etc and have not found any solution
<!--
Places to check:
* OpenCV documentation: https://docs.opencv.org
* FAQ page: https://github.com/opencv/opencv/wiki/FAQ
* OpenCV forum: https://forum.opencv.org
* OpenCV issue tracker: https://github.com/opencv/opencv/issues?q=is%3Aissue
* Stack Overflow branch: https://stackoverflow.com/questions/tagged/opencv
-->
- [X ] I updated to the latest OpenCV version and the issue is still there
<!--
master branch for OpenCV 4.x and 3.4 branch for OpenCV 3.x releases.
OpenCV team supports only the latest release for each branch.
The ticket is closed if the problem is not reproduced with the modern version.
-->
- [X ] There is reproducer code and related data files: videos, images, onnx, etc
<!--
The best reproducer -- test case for OpenCV that we can add to the library.
Recommendations for media files and binary files:
* Try to reproduce the issue with images and videos in opencv_extra repository
to reduce attachment size
* Use PNG for images, if you report some CV related bug, but not image reader
issue
* Attach the image as an archive to the ticket, if you report some reader issue.
Image hosting services compress images and it breaks the repro code.
* Provide ONNX file for some public model or ONNX file with random weights,
if you report ONNX parsing or handling issue. Architecture details diagram
from netron tool can be very useful too. See https://lutzroeder.github.io/netron/
-->
Reproduce code
#include "opencv2/core.hpp"
using namespace cv;
std::string Input1 { 0x00, 0x2f, 0x4a, 0x4a, 0x50, 0x4a, 0x4a };
std::string Input1Path = "Input1";
void assign_file(const char *Path, const char *Data, unsigned Size) {
if (!Path)
return;
FILE *FP = fopen(Path, "wb");
if (!FP)
return;
fwrite(Data, Size, 1, FP);
fclose(FP);
}
int main(int argc, char* argv[]) {
assign_file(Input1Path.c_str(), Input1.c_str(), Input1.size());
try {
FileStorage fs(Input1Path, FileStorage::READ); // Crash
} catch(std::exception &E) {}
return 0;
}
Build steps to opencv
mkdir -p build && cd build
cmake -DBUILD_SHARED_LIBS=OFF -DOPENCV_ENABLE_ALLOCATOR_STATS=OFF -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_AR=/bin/llvm-ar -DCMAKE_C_FLAGS="-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -g" -DCMAKE_CXX_FLAGS="-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -g" -DCMAKE_SHARED_LINKER_FLAGS="-fsanitize=address,fuzzer-no-link -fno-omit-frame-pointer -g" ..
make -j16
Reason
persistence.cpp 812~825
for (;;) {
int count = (int) std::min(buffer.size() - ofs - 16, maxCount);
char *ptr = getsFromFile(&buffer[ofs], count + 1); // buffer is { 0x00, 0x2f, 0x4a, 0x4a, 0x50, 0x4a, 0x4a }, ptr points 0x00
if (!ptr)
break;
int delta = (int) strlen(ptr); // delta is 0
ofs += delta;
maxCount -= delta;
if (ptr[delta - 1] == '\n' || maxCount == 0) // ptr[delta - 1]: ptr[-1] -> heap buffer overflow
break;
if (delta == count)
buffer.resize((size_t) (buffer.size() * 1.5));
}
return ofs > 0 ? &buffer[0] : 0;
Address Sanitizer Report
==13614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000003cf at pc 0x0000004e06eb bp 0x7ffeb04ab1d0 sp 0x7ffeb04ab1c8
READ of size 1 at 0x6040000003cf thread T0
#0 0x4e06ea in cv::FileStorage::Impl::gets(unsigned long) /root/fuzz-test-generation/exp/opencv/modules/core/src/persistence.cpp:820:13
#1 0x4d6e15 in cv::FileStorage::Impl::open(char const*, int, char const*) /root/fuzz-test-generation/exp/opencv/modules/core/src/persistence.cpp:680:27
#2 0x4fb9a8 in cv::FileStorage::FileStorage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/fuzz-test-generation/exp/opencv/modules/core/src/persistence.cpp:1850:18
#3 0x4cbdda in main (/root/fuzz-test-generation/exp/opencv/fuzzer/filestorage/crash1/crash1+0x4cbdda)
#4 0x7fdd17053bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
#5 0x421429 in _start (/root/fuzz-test-generation/exp/opencv/fuzzer/filestorage/crash1/crash1+0x421429)
0x6040000003cf is located 1 bytes to the left of 40-byte region [0x6040000003d0,0x6040000003f8)
allocated by thread T0 here:
#0 0x4c92dd in operator new(unsigned long) (/root/fuzz-test-generation/exp/opencv/fuzzer/filestorage/crash1/crash1+0x4c92dd)
#1 0x4cf226 in __gnu_cxx::new_allocator<char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
#2 0x4cf226 in std::allocator_traits<std::allocator<char> >::allocate(std::allocator<char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
#3 0x4cf226 in std::_Vector_base<char, std::allocator<char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:172:20
#4 0x4cf226 in std::vector<char, std::allocator<char> >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/vector.tcc:571:34
#5 0x4cf226 in std::vector<char, std::allocator<char> >::resize(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_vector.h:692:4
#6 0x4d6b59 in cv::FileStorage::Impl::open(char const*, int, char const*) /root/fuzz-test-generation/exp/opencv/modules/core/src/persistence.cpp:671:16
#7 0x4fb9a8 in cv::FileStorage::FileStorage(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, int, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /root/fuzz-test-generation/exp/opencv/modules/core/src/persistence.cpp:1850:18
#8 0x4cbdda in main (/root/fuzz-test-generation/exp/opencv/fuzzer/filestorage/crash1/crash1+0x4cbdda)
#9 0x7fdd17053bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/fuzz-test-generation/exp/opencv/modules/core/src/persistence.cpp:820:13 in cv::FileStorage::Impl::gets(unsigned long)
Shadow bytes around the buggy address:
0x0c087fff8020: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c087fff8030: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff8040: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff8050: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff8060: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
=>0x0c087fff8070: fa fa fd fd fd fd fd fd fa[fa]00 00 00 00 00 fa
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==13614==ABORTING
Effect
This bug may cause security vulnerability by reading invalid memory address.