search

DIPlib / diplib

Quantitative Image Analysis in C++, MATLAB and Python
https://diplib.org
Apache License 2.0
227 stars 49 forks source link

Out-Of-Memory of ImageReadTIFF #82

Closed NigelX closed 3 years ago

NigelX commented 3 years ago

Hi

I found an crash erro.

System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0

DIPliB Release v3.0.0

commit:7db848500f4cc5db676b32e9a95dcbc94d976339

[poc3.zip](https://github.com/DIPlib/diplib/files/6966711/poc3.zip) (edit: careful with this, looks malicious)

Verification steps: 1.Get the source code of DIPliB 2.Compile the DIPliB and poc.c

$ cd diplib
$ mkdir build && cd build
$ cmake ../ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address" -DCMAKE_CXX_FLAGS="-O2 -fno-omit-frame-pointer -g -fsanitize=address"
$ make -j 32
$ sudo make install
$ cp src/libDIP.so ./
$ clang++ -g poc.cc -O2 -fno-omit-frame-pointer -fsanitize=address  -fsanitize-coverage=bb -I/usr/local/include -lDIP -L. -Wl,-rpath,. -o poc

3.run poc

$ ./poc crash.tiff

asan info

=================================================================
==3194162==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xaf73fb9f0 bytes
    #0 0x494b8d in malloc (/home/topsec/Downloads/diplib/build/poc+0x494b8d)
    #1 0x7fac78b41081 in dip::Image::Forge() /home/topsec/Downloads/diplib/src/library/image_data.cpp:688:20
    #2 0x7fac78b442ae in dip::Image::ReForge(dip::DimensionArray<unsigned long> const&, unsigned long, dip::DataType, dip::Option::AcceptDataTypeChange) /home/topsec/Downloads/diplib/src/library/image_data.cpp:735:4
    #3 0x7fac783e0d12 in dip::(anonymous namespace)::ReadTIFFBinary(dip::Image&, dip::(anonymous namespace)::TiffFile&, dip::(anonymous namespace)::GetTIFFInfoData&) /home/topsec/Downloads/diplib/src/file_io/tiff_read.cpp:493:10
    #4 0x7fac783e0d12 in dip::ImageReadTIFF(dip::Image&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, dip::Range, dip::DimensionArray<dip::Range> const&, dip::Range const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/topsec/Downloads/diplib/src/file_io/tiff_read.cpp:1074:13
    #5 0x4c77fe in dip::ImageReadTIFF(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, dip::Range const&, dip::DimensionArray<dip::Range> const&, dip::Range const&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/local/include/diplib/file_io.h:230:4
    #6 0x4c77fe in main /home/topsec/Downloads/diplib/build/poc.cc:18:19
    #7 0x7fac76fa10b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

==3194162==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory (/home/topsec/Downloads/diplib/build/poc+0x494b8d) in malloc
==3194162==ABORTING

Thank you, Product Security

crisluengo commented 3 years ago

Why are you submitting maliciously crafted image files? What are you trying to accomplish?

NigelX commented 3 years ago

https://cwe.mitre.org/data/definitions/789.html

crisluengo commented 3 years ago

This is not a bug, it's working as intended. DIPlib does not limit the size of an image created. If there's not enough memory, the allocator fails and throws an exception. The application can choose to catch the exception and handle it, or just terminate.