search

syoyo / tinyexr

Tiny OpenEXR image loader/saver library
703 stars 138 forks source link

SEGV on unknown address in tinyexr.h:5779 #199

Closed yangfar closed 1 year ago

yangfar commented 1 year ago

Describe the issue When i test the test_tinyexr with afl++, some crashes arose in tinyexr.h:5779.

To Reproduce Steps to reproduce the behavior: $ git clone https://github.com/syoyo/tinyexr.git $ cd tinyext $ export CFLAGS="-fsanitize=address" $ export CXXFLAGS="-fsanitize=address" $ export CC=afl-clang-fast $ export CXX=afl-clang-fast++ $ export AFL_USE_ASAN=1 $ mkdir build $ cd build $ make -j8 Compile TinyEXR with Address Sanitizer

run ./test_tinyexr ./poc

Environment OS: Ubuntu 20.04.2 LTS gcc: 9.4.0

Error

`AddressSanitizer:DEADLYSIGNAL

==1365598==ERROR: AddressSanitizer: SEGV on unknown address 0x7fb24cfa130a (pc 0x0000004e5c2b bp 0x7ffc47299350 sp 0x7ffc47298b60 T0) ==1365598==The signal is caused by a READ memory access.

0 0x4e5c2b in tinyexr::ReconstructTileOffsets(tinyexr::OffsetData&, TEXRHeader const, unsigned char const, unsigned char const*, unsigned long, bool, bool) /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:5779:9

#1 0x4e5c2b in tinyexr::DecodeEXRImage(TEXRImage*, TEXRHeader const*, unsigned char const*, unsigned char const*, unsigned long, char const**) /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:5984:12
#2 0x4e24a6 in LoadEXRImageFromMemory /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6958:10
#3 0x4d173a in LoadEXRImageFromFile /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6935:10
#4 0x4cb72f in LoadEXRWithLayer /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6234:15
#5 0x5181f4 in LoadEXR /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:6181:10
#6 0x5181f4 in test_main(int, char**) /home/yzy/fuzzsoftware/tinyexr-release/test_tinyexr.cc:223:9
#7 0x5181f4 in main /home/yzy/fuzzsoftware/tinyexr-release/test_tinyexr.cc:194:42
#8 0x7fb2cfb57082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#9 0x41d74d in _start (/home/yzy/fuzzsoftware/tinyexr-release/test_tinyexr+0x41d74d)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/yzy/fuzzsoftware/tinyexr-release/./tinyexr.h:5779:9 in tinyexr::ReconstructTileOffsets(tinyexr::OffsetData&, TEXRHeader const, unsigned char const, unsigned char const*, unsigned long, bool, bool) ==1365598==ABORTING`

Poc Poc.zip

syoyo commented 1 year ago

Fixed via https://github.com/syoyo/tinyexr/commit/6e8cac308cdf4d717078f3f37c4aa39bf3b356b4

yangfar commented 1 year ago

Thanks!