search

AcademySoftwareFoundation / openexr

The OpenEXR project provides the specification and reference implementation of the EXR file format, the professional-grade image storage format of the motion picture industry.
http://www.openexr.com/
BSD 3-Clause "New" or "Revised" License
1.62k stars 612 forks source link

The exception occurs inside the call: ImfOpenInputFile(). #996

Open ConcoctionSec opened 3 years ago

ConcoctionSec commented 3 years ago

Operating system, version and so on

Ubuntu 18.04, 64bit

Project version

dev version,ImageMagick 7.0.11-5,git clone https://github.com/ImageMagick/ImageMagick.git

Description

When we execute the convert command in ImageMagick, ASAN reports the error allocation-size-too-big. We found that the flaw is within the OpenEXR delegate library, not ImageMagick. The exception occurs inside this call: ImfOpenInputFile(), an OpenEXR API call.

Steps to Reproduce

Command

Compile the ImageMagick:

$ CC="gcc" CXX="g++" ./configure --disable-shared  
$ make

Compile with ASAN:

$ CC="gcc" CXX="g++" CFLAGS="-g -fsanitize=address" ./configure --disable-shared
$ make

Please run the following cmd with poc file. POC

$ magick convert $poc out.bmp

Result

The result of running without ASAN:

terminate called after throwing an instance of 'DJVU::GException'
Aborted (core dumped)

Information obtained by using ASAN:

=================================================================
==7081==ERROR: AddressSanitizer: requested allocation size 0xfffffffff1100700 (0xfffffffff1101700 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x7fdd66a06087 in operator new[](unsigned long) (/lib/x86_64-linux-gnu/libasan.so.6+0xb2087)
    #1 0x7fdd646e064f in Imf_2_3::OpaqueAttribute::readValueFrom(Imf_2_3::IStream&, int, int) (/lib/x86_64-linux-gnu/libIlmImf-2_3.so.24+0x6664f)

==7081==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/lib/x86_64-linux-gnu/libasan.so.6+0xb2087) in operator new[](unsigned long)
==7081==ABORTING

Additional information:

Version: ImageMagick 7.0.11-5 Q16 x86_64 2021-03-20 https://imagemagick.org
Copyright: (C) 1999-2021 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(5.0) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png tiff x xml zlib
peterhillman commented 3 years ago

Thanks for the report. I don't see any attached poc file (the link is empty) Could you perhaps provide that file?

Meanwhile, it appears you are building against an OpenEXR-2.3.X release. It's possible later releases already have a fix for this, as it is similar to #248

ConcoctionSec commented 3 years ago

Sorry, because of my negligence to use an empty poc link, the poc link has now been updated. I will look over #248 and try to use the latest version of openexr.Thank you for your reply.

ConcoctionSec commented 3 years ago

I saw that in this issue, a similar issue was confirmed as CVE-2017-14988.