Skip to content

Out-of-bounds read in cvt_ in convert.simd.hpp #28396

New issue
New issue
Closed
#28397
Closed
Out-of-bounds read in cvt_ in convert.simd.hpp#28396
#28397
Labels
bugcategory: core
Milestone
4.14.0
@SamiKalliomaki

Description

@SamiKalliomaki
SamiKalliomaki
opened on Jan 12, 2026

System Information

WASM with 128-bit SIMD

Detailed description

While running some of our code through ASAN, I noticed an out-of-bounds read in cvt_ in convert.simd.hpp.

The error looks to be in these lines of code:

opencv/modules/core/src/convert.simd.hpp

Lines 113 to 125 in d8bc5b9

const int VECSZ = VTraits<_Twvec>::vlanes()*2;
for( ; j < size.width; j += VECSZ )
{
if( j > size.width - VECSZ )
{
if( j == 0 || src == (_Ts*)dst )
break;
j = size.width - VECSZ;
}
_Twvec v0, v1;
vx_load_pair_as(src + j, v0, v1);
v_store_pair_as(dst + j, v0, v1);
}

The value of VECSZ is defined based on the vlanes of the source type. But when converting e.g. 8-bit uints to 32-bit floats on 128-bit SIMD system, vlanes for f32 is 4 while the vlanes for uint8 is 16.

The later line vx_load_pair_as ends up reading 32 elements from source array while we only verified in the if-statement above that 8 elements are available. This leads to a out-of-bound read unless the width of source array is divisible by 32.

Steps to reproduce

uint8_matrix.convertTo(f32_matrix, CV_32FC1);

Issue submission checklist

  • I report the issue, it's not a question
  • I checked the problem with documentation, FAQ, open issues, forum.opencv.org, Stack Overflow, etc and have not found any solution
  • I updated to the latest OpenCV version and the issue is still there
  • There is reproducer code and related data files (videos, images, onnx, etc)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugcategory: core

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions