imwrite() with params which has odd elements may make out-of-boundary memory access .

[Kumataro]

System Information

OpenCV version: 4.x
Operating System / Platform: Ubuntu 22.10
Compiler & compiler version: GCC 12.2.0

Detailed description

This is a low priority issue due to a user implementation error.
However, as compilers and libraries improve, this problem will occur some compile/runtime errors.

What is problem.

The params for imwrite() is expected to store even number integer array .

https://docs.opencv.org/4.x/d4/da8/group__imgcodecs.html#gabbc7ef1aa2edfaa87772f1202d67e0ce

params Format-specific parameters encoded as pairs (paramId_1, paramValue_1, paramId_2, paramValue_2, ... .) see cv::ImwriteFlags

params = [ IMWRITE_JPEG_QUALITY, 100, IMWRITE_JPEG_xxxx, yyy ] ;

(All or almost) decoder believe this condition must be kept.

opencv/modules/imgcodecs/src/grfmt_jpeg.cpp

Lines 643 to 654 in 21133a2

	for( size_t i = 0; i < params.size(); i += 2 )
	{
	if( params[i] == IMWRITE_JPEG_QUALITY )
	{
	quality = params[i+1];
	quality = MIN(MAX(quality, 0), 100);
	}
	if( params[i] == IMWRITE_JPEG_PROGRESSIVE )
	{
	progressive = params[i+1];
	}

However, if user-application breaks this condition, those codecs makes out-of-boundary memory access.

For example, params has only 1 ID which is interesting by codec..

params = [ IMWRITE_JPEG_QUALITY };

step 1. i = 0
step 2. if ( i < params.size() ) -> true.
step 3. if( params[i] == IMWRITE_JPEG_QUALITY ) -> true 
step 4. quality = params[i+1];   // out-of-boundary

error log

[ RUN      ] Imgcodecs.write_parameter_length
==103191== Invalid read of size 4
==103191==    at 0x48A6D80: cv::JpegEncoder::write(cv::Mat const&, std::vector<int, std::allocator<int> > const&) (grfmt_jpeg.cpp:647)
==103191==    by 0x487ED7A: cv::imwrite_(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<cv::Mat, std::allocator<cv::Mat> > const&, std::vector<int, std::allocator<int> > const&, bool) (loadsave.cpp:xxx)
==103191==    by 0x487F48F: cv::imwrite(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, cv::_InputArray const&, std::vector<int, std::allocator<int> > const&) (loadsave.cpp:xxx)

(sorry, loadsave.cpp is modified to investigate. so line number is invalid.)

How to fix

I think it is better to check in imwrite_() and imencode() at loadsave.cpp. And imencode() shoule be add CV_Assert(params.size() <= CV_IO_MAX_IMAGE_PARAMS*2);,

opencv/modules/imgcodecs/src/loadsave.cpp

Lines 716 to 721 in 21133a2

	}
	encoder->setDestination( filename );
	CV_Assert(params.size() <= CV_IO_MAX_IMAGE_PARAMS*2);
	bool code = false;
	try

opencv/modules/imgcodecs/src/loadsave.cpp

Lines 1083 to 1109 in 21133a2

	bool imencode( const String& ext, InputArray _image,
	std::vector<uchar>& buf, const std::vector<int>& params )
	{
	CV_TRACE_FUNCTION();
	Mat image = _image.getMat();
	CV_Assert(!image.empty());
	int channels = image.channels();
	CV_Assert( channels == 1 || channels == 3 || channels == 4 );
	ImageEncoder encoder = findEncoder( ext );
	if( !encoder )
	CV_Error( Error::StsError, "could not find encoder for the specified extension" );
	if( !encoder->isFormatSupported(image.depth()) )
	{
	CV_Assert( encoder->isFormatSupported(CV_8U) );
	Mat temp;
	image.convertTo(temp, CV_8U);
	image = temp;
	}
	bool code;
	if( encoder->setDestination(buf) )
	{
	code = encoder->write(image, params);

I feels that it is not bad idea to add CV_Assert( (params.count() % 2) == 0 ) .

Steps to reproduce

sample code

/**
 * $ g++ main.cpp -o a,out -I /usr/local/include/opencv4 -lopencv_core -lopencv_imgcodecs
 * $ valgrind ./a.out
 */
#include <opencv2/core.hpp>
#include <opencv2/imgcodecs.hpp>

#include <string>
#include <vector>

using namespace std;
using namespace cv;
int main(void)
{
    const Mat img( 16, 16, CV_8UC3, cv::Scalar::all(0) );
    vector<int> params;
    params.push_back(IMWRITE_JPEG_QUALITY);
//  params.push_back(100)); // Forget it.
    cv::imwrite("test.jpg", img, params);
}

Issue submission checklist

• I report the issue, it's not a question
• I checked the problem with documentation, FAQ, open issues, forum.opencv.org, Stack Overflow, etc and have not found any solution
• I updated to the latest OpenCV version and the issue is still there
• There is reproducer code and related data files (videos, images, onnx, etc)

[Kumataro]

Could you give me some advice?

HDR encoder has problem which it does not treat params as ID and VALUE pair.

So if simply add CV_Assert( (params.count() % 2) == 0 ) in loadsave.cpp, regression test for hdr will be failed.

opencv/modules/imgcodecs/src/grfmt_hdr.cpp

Lines 144 to 158 in 21133a2

	CV_Assert(params.empty() || params[0] == HDR_NONE || params[0] == HDR_RLE);
	FILE *fout = fopen(m_filename.c_str(), "wb");
	if(!fout) {
	return false;
	}
	RGBE_WriteHeader(fout, img.cols, img.rows, NULL);
	if(params.empty() || params[0] == HDR_RLE) {
	RGBE_WritePixels_RLE(fout, const_cast<float*>(img.ptr<float>()), img.cols, img.rows);
	} else {
	RGBE_WritePixels(fout, const_cast<float*>(img.ptr<float>()), img.cols * img.rows);
	}
	fclose(fout);
	return true;

opencv/modules/imgcodecs/test/test_grfmt.cpp

Lines 335 to 361 in 21133a2

	#ifdef HAVE_IMGCODEC_HDR
	TEST(Imgcodecs_Hdr, regression)
	{
	string folder = string(cvtest::TS::ptr()->get_data_path()) + "/readwrite/";
	string name_rle = folder + "rle.hdr";
	string name_no_rle = folder + "no_rle.hdr";
	Mat img_rle = imread(name_rle, -1);
	ASSERT_FALSE(img_rle.empty()) << "Could not open " << name_rle;
	Mat img_no_rle = imread(name_no_rle, -1);
	ASSERT_FALSE(img_no_rle.empty()) << "Could not open " << name_no_rle;
	double min = 0.0, max = 1.0;
	minMaxLoc(abs(img_rle - img_no_rle), &min, &max);
	ASSERT_FALSE(max > DBL_EPSILON);
	string tmp_file_name = tempfile(".hdr");
	vector<int>param(1);
	for(int i = 0; i < 2; i++) {
	param[0] = i;
	imwrite(tmp_file_name, img_rle, param);
	Mat written_img = imread(tmp_file_name, -1);
	ASSERT_FALSE(written_img.empty()) << "Could not open " << tmp_file_name;
	minMaxLoc(abs(img_rle - written_img), &min, &max);
	ASSERT_FALSE(max > DBL_EPSILON);
	}
	remove(tmp_file_name.c_str());
	}
	#endif

It seems that this params for hdr is not documented.

https://docs.opencv.org/4.x/d8/d6a/group__imgcodecs__flags.html#ga292d81be8d76901bff7988d18d2b42ac

We have some options.

• Option0) Do nothing. imwrite params length will not be checked.
• Option1) From OpenCV4 or OpenCV5 , fix it to introduce IMWRITE_HDR_COMPRESSION.
• Option2) Each encoder checks for ( (params.size() % 2) == 0 ). HDR doesn't do it.
• Option3) Add m_params_is_specificed in BaseImageEncoder, and loadsave.cpp determine to check params.count() . HDR Encoder sets it true.

I think, Option 1 is difficult to judge because it will be lost back-compatibility. However, HDR parameters were not documented in OpenCV documents. It is also possible to determine that there is no problem.

[dan-masek]

Some thoughts (I'm not a maintainer tho):

For next major release, it would probably be a good idea to standardize the parameters to always be in pairs. There were many breaking changes in previous major releases, so that shouldn't be an issue, IMHO.

Meanwhile, how about adding a virtual validateParams() in BaseImageEncoder with a default implementation that requires pairs. Then HDR codec can override that and handle its current peculiar usage.

Maybe some wrapper around the params vector (at least a few functions) to implement safe and consistent parameter access (as opposed to each codec doing all the checking etc. over and over again) wouldn't hurt (and then rewrite the codecs to use those).

[Kumataro]

With the method you suggested, compatibility with previous versions will be kept. Thank you for your comment!

I believe that the following countermeasures are good.

[For OpenCV4/5]

• Add IMWRITE_HDR_COMPRESSION to indicate the compression method for HDR images.
• Add varidateParams() member function into encoders.
  • HDR Encoder validates that the number of elements in params is 1 or even.
  • Other encoders validates that the number of elements in params is even.
• Keep imwrite() API and documentation.

[alalek]

@Kumataro Thank you for the investigation and proposals!

OpenCV team has an agreement to update HDR encoder implementation to support parameters as "key-value" pairs.
I will prepare a PR with migration and checks.

[alalek]

Please take a look on this PR: #22830

[Kumataro]

I have completed the code review and added some comment.
Thank you very much !

[asmorkalov]

merged to 3.4.