Skip to content

Numeric truncation at tif_dirread.c:4386#23986

Merged
asmorkalov merged 1 commit intoopencv:4.xfrom
headshog:fix-numtrunc
Jul 27, 2023
Merged

Numeric truncation at tif_dirread.c:4386#23986
asmorkalov merged 1 commit intoopencv:4.xfrom
headshog:fix-numtrunc

Conversation

@headshog
Copy link
Copy Markdown
Contributor

@headshog headshog commented Jul 13, 2023

Hi! We've been fuzzing opencv with sydr-fuzz security predicates and we found numeric truncation error in tif_dirread.c:4386.

In function TIFFReadDirectoryCheckOrder on line 4386 variable m has type uint16, structure TIFFDirEntry has field uint16 tdir_tag. But on the right side of operator there is an integer type value (due to the integer promotion), so the numeric truncation may occur. Our tool has found input when o->tdir_tag is equal to 65535 (uint16_max), so then value o->tdir_tag+1 truncates to zero in variable m. Then m is used in if operator on line 4380, and it is obvious, that o->tdir_tag<m can't be true after truncation and the break from the cycle will not occur even with not ascending order of tags. So we suggest to change the type int16_t of the variable m to type uint32.

Environment

How to reproduce this error

  1. Build docker container:

    sudo docker build -t oss-sydr-fuzz-opencv .

  2. Run docker container:

    sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-opencv /bin/bash

  3. Run on the following input:

     /out/imread_fuzzer sydr_ce171c30cd94046b3233028c74c7fce1a956c7e1_num_trunc_0_unsigned.txt

  4. Output:

    /opencv/3rdparty/libtiff/tif_dirread.c:4386:5: runtime error: implicit conversion from type 'int' of value 65536 (32-bit, signed) to type 'uint16' (aka 'unsigned short') changed the value to 0 (16-bit, unsigned)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /opencv/3rdparty/libtiff/tif_dirread.c:4386:5

@asmorkalov
Copy link
Copy Markdown
Contributor

asmorkalov commented Jul 13, 2023

OpenCV team usually does not accept patches for 3rdparty components. Could you send the patch to original repo. The fix will be promoted to OpenCV after TIFF release.

@headshog
Copy link
Copy Markdown
Contributor Author

headshog commented Jul 13, 2023

OpenCV team usually does not accept patches for 3rdparty components. Could you send the patch to original repo. The fix will be promoted to OpenCV after TIFF release.

I've sent merge request to libtiff.
https://gitlab.com/libtiff/libtiff/-/merge_requests/512

@opencv-alalek opencv-alalek added this to the 4.9.0 milestone Jul 14, 2023
@headshog
Copy link
Copy Markdown
Contributor Author

headshog commented Jul 17, 2023

@asmorkalov @opencv-alalek Hi! Fix in LibTIFF was merged.
https://gitlab.com/libtiff/libtiff/-/merge_requests/512

@asmorkalov asmorkalov self-requested a review July 27, 2023 09:27
@asmorkalov asmorkalov self-assigned this Jul 27, 2023
asmorkalov
asmorkalov approved these changes Jul 27, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@asmorkalov asmorkalov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@asmorkalov asmorkalov merged commit 5fc2564 into opencv:4.x Jul 27, 2023
@asmorkalov asmorkalov mentioned this pull request Jul 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@asmorkalov asmorkalov asmorkalov approved these changes

Assignees

@asmorkalov asmorkalov

Labels

category: 3rdparty

Projects

None yet

Milestone

4.9.0

Development

Successfully merging this pull request may close these issues.

3 participants

@headshog @asmorkalov @opencv-alalek