search

hku-mars / FAST-LIVO

A Fast and Tightly-coupled Sparse-Direct LiDAR-Inertial-Visual Odometry (LIVO).
GNU General Public License v2.0
1.26k stars 202 forks source link

Use-after-free bug in img_cbk() #38

Closed kekeliu-whu closed 1 year ago

kekeliu-whu commented 1 year ago

Hi, I find a bug by AddressSanitizer when testing our dataset:

cv::Mat getImageFromMsg(const sensor_msgs::ImageConstPtr& img_msg) {
  cv::Mat img;
  img = cv_bridge::toCvShare(img_msg, "bgr8")->image;
  return img;
}

It can be seen from the description of toCvShare() that img_msg->data and img.data may share the same memory, which leads to a use-after-free bug. To be more specifically, img_msg->data will be released after getImageFromMsg() but the return value img may still be used after that.

xuankuzcr commented 1 year ago

Great discovery and a very practical tool! Additionally, could you share your configuration operation of AddressSanitizer in the project?

kekeliu-whu commented 1 year ago

Tool usage reference: https://github.com/google/sanitizers/wiki/AddressSanitizer

Usage:

  1. Change the cmakelists.txt as below: 
    4,8c4
< SET(CMAKE_BUILD_TYPE "Debug")
<
< ADD_COMPILE_OPTIONS(-std=c++14 )
< ADD_COMPILE_OPTIONS(-std=c++14 )
< set( CMAKE_CXX_FLAGS "-std=c++14 -O3" )
---
> SET(CMAKE_BUILD_TYPE "")
16c12
< set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++14 -pthread -std=c++0x -std=c++14 -fexceptions")
---
> set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pthread -fsanitize=address -O1 -fno-omit-frame-pointer -g -fexceptions")
  2. Build fast-livo with cmake .. -DCMAKE_C_COMPILER=/path/to/clang -DCMAKE_CXX_COMPILER=/path/to/clang++ && make (clang must be used instead of gcc)
  3. Run fast-livo to detect memory issues.

Following the steps above, maybe more issues could be found :)

I have made a pull request to fix the bug above: https://github.com/hku-mars/FAST-LIVO/pull/39. Hope you can merge it!

xuankuzcr commented 1 year ago

Thanks for your sharing. I have merged the PR.