search

AcademySoftwareFoundation / OpenImageIO

Reading, writing, and processing images in a wide variety of file formats, using a format-agnostic API, aimed at VFX applications.
https://openimageio.readthedocs.org
Apache License 2.0
1.98k stars 602 forks source link

heap-buffer-overflow in dpx::WriteBuffer #1861

Open gy741 opened 6 years ago

gy741 commented 6 years ago

Hello.

I found a heap-buffer-overflow bug in oiio.

Please confirm.

Thanks.

OS: Ubuntu 17.04 64bit Version: commit 5aef4903496c3c344f29613a3e8ce47a611f4774 PoC Download: OV_dpx__BaseTypeConverter.zip

Steps to reproduce: 1.Download the .POC files. 2.Compile the source code with ASan. 3.Execute the following command : ./oiiotool $POC -o null.dpx

=================================================================
==5172==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62c0000085c0 at pc 0x7fd7ae3c40cc bp 0x7fff3f91c2a0 sp 0x7fff3f91c290
READ of size 2 at 0x62c0000085c0 thread T0
    #0 0x7fd7ae3c40cb in dpx::BaseTypeConverter(unsigned short&, unsigned short&) /home/karas/oiio/src/dpx.imageio/libdpx/BaseTypeConverter.h:92
    #1 0x7fd7ae3c40cb in void dpx::MultiTypeBufferCopy<unsigned short, unsigned short>(unsigned short*, unsigned short*, int) /home/karas/oiio/src/dpx.imageio/libdpx/WriterInternal.h:72
    #2 0x7fd7ae3c40cb in void dpx::CopyWriteBuffer<unsigned short>(dpx::DataSize, unsigned char*, unsigned short*, int) /home/karas/oiio/src/dpx.imageio/libdpx/WriterInternal.h:82
    #3 0x7fd7ae3c40cb in int dpx::WriteBuffer<unsigned short, 10, true>(OutStream*, dpx::DataSize, void*, unsigned int, unsigned int, int, dpx::Packing, bool, bool, int, char*, bool&, bool) /home/karas/oiio/src/dpx.imageio/libdpx/WriterInternal.h:292
    #4 0x7fd7ae3bab3f in dpx::Writer::WriteElement(int, void*, dpx::DataSize) /home/karas/oiio/src/dpx.imageio/libdpx/Writer.cpp:316
    #5 0x7fd7ae348fc5 in OpenImageIO_v1_9::DPXOutput::write_buffer() /home/karas/oiio/src/dpx.imageio/dpxoutput.cpp:556
    #6 0x7fd7ae36643c in OpenImageIO_v1_9::DPXOutput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v1_9::ImageSpec const&, OpenImageIO_v1_9::ImageOutput::OpenMode) /home/karas/oiio/src/dpx.imageio/dpxoutput.cpp:196
    #7 0x4f9574 in output_file /home/karas/oiio/src/oiiotool/oiiotool.cpp:4733
    #8 0x7fd7adda2ef1 in OpenImageIO_v1_9::ArgOption::invoke_callback(int, char const**) const /home/karas/oiio/src/libutil/argparse.cpp:78
    #9 0x7fd7adda2ef1 in OpenImageIO_v1_9::ArgParse::parse(int, char const**) /home/karas/oiio/src/libutil/argparse.cpp:379
    #10 0x437419 in getargs /home/karas/oiio/src/oiiotool/oiiotool.cpp:5305
    #11 0x42a6eb in main /home/karas/oiio/src/oiiotool/oiiotool.cpp:5526
    #12 0x7fd7ab9e782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x42d8d8 in _start (/home/karas/oiio/run/tlr/usr/local/bin/oiiotool+0x42d8d8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/karas/oiio/src/dpx.imageio/libdpx/BaseTypeConverter.h:92 dpx::BaseTypeConverter(unsigned short&, unsigned short&)
Shadow bytes around the buggy address:
  0x0c587fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff9070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c587fff90b0: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0c587fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff90d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff90e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff90f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c587fff9100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==5172==ABORTING

================= [Acknowledgement] This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]

lgritz commented 6 years ago

Yes, I'm able to reproduce. Looking into it...