Fix ORB integer overflow

[AleksandrPanov]

Fixes opencv/opencv-python#537 "segmentation fault using ORB"

• Problem in HarrisResponses(const Mat& img, const std::vector& layerinfo, std::vector& pts, int blockSize, float harris_k) from orb.cpp
• An integer overflow has occurred in this line:
  const uchar* ptr0 = ptr00 + (y0 - r + layerinfo[z].y)*step + x0 - r + layerinfo[z].x;
• To fix this problem, integer variable step was declared as size_t.
• Also I ran performance tests: PERF_TEST_P(feature2d, detectAndExtract, testing::Combine(testing::Values(DETECTORS_EXTRACTORS), TEST_IMAGES))
  And the performance remained almost unchanged:
  test_new_version.txt
  test_old_version.txt

Pull Request Readiness Checklist

See details at https://github.com/opencv/opencv/wiki/How_to_contribute#making-a-good-pull-request

• I agree to contribute to the project under Apache 2 License.
• To the best of my knowledge, the proposed patch is not based on a code under GPL or other license that is incompatible with OpenCV
• The PR is proposed to proper branch
• There is reference to original bug report and related work
• There is accuracy test, performance test and test data in opencv_extra repository, if applicable
  Patch to opencv_extra has the same branch name.
• The feature is well documented and sample code can be built with the project CMake

[alalek]

Thank you!

[alalek]

BTW, This would not help for 32-bit builds (sizeof(size_t) == 4).
We don't really want to support them (due to limited of available memory for such configuration).
So could you please to add CV_Check to catch overflow case below.

[AleksandrPanov]

integer overflow happens here:
const uchar* ptr0 = ptr00 + (y0 - r + layerinfo[z].y)*step + x0 - r + layerinfo[z].x;

ptr00 is pointer to begin image, (y0 - r + layerinfo[z].y)*step + x0 - r + layerinfo[z].x is offset, and offset is less then image size.

Сan 32 bit systems create a image larger than max(size_t)?
// sizeof(size_t) == 4 byte, image has one CV_8U channel

[AleksandrPanov]

If a 32-bit system cannot create the image larger than max(size_t), then the offset will not overflow.

[alalek]

OK, probably it would fail earlier on image creation.

[alalek]

Apply tags in one call.

[AleksandrPanov]

thx, fixed

[alalek]

C++98 doesn't support initializer list. Use ctors:

Point point1(border + i * 100, border + i * 100);
Point point2(width - border - i * 100, height - border * i * 100);

---

Use Point instead of cv::Vec2i

[AleksandrPanov]

thx, fixed

[alalek]

Declare variable where are they used (this significantly increases code readability).
Right before detectAndCompute() call.

[AleksandrPanov]

thx, fixed

[alalek]

Please eliminate Windows warnings.

[AleksandrPanov]

Please eliminate Windows warnings.

There is problem in this lines:

int Ix = (ptr[1] - ptr[-1])*2 + (ptr[-step+1] - ptr[-step-1]) + (ptr[step+1] - ptr[step-1]);
int Iy = (ptr[step] - ptr[-step])*2 + (ptr[step-1] - ptr[-step-1]) + (ptr[step+1] - ptr[-step+1]);

size_t_step and offset added to fix this problem:

size_t offset = (y0 - r + layerinfo[z].y)*size_t_step + (x0 - r + layerinfo[z].x);
const uchar* ptr0 = ptr00 + offset;

step was defined as int again (added CV_Check to prevent overflow).

[alalek]

This check doesn't prevent overflow below with step+1 expressions.

BTW, UBSAN can detect these overflows, but it dislikes negative indexing.

[AleksandrPanov]

Thx, fixed:
CV_Check(size_t_step, size_t_step + 1 <= INT_MAX, "step in img > INT_MAX");

[alalek]

One more step usage is in ofs calculation.

BTW, step in test case is 25072

I will add commit with checks.

[alalek]

Thank you 👍