Bug in fuzz function() that throws libc++abi: terminating due to uncaught exception of type booboo

[xsscx]

Bug in fuzz function() | Use-After-Free Bug. [libEXR & libAppleEXR]

Discussion & Analysis

libc++abi: terminating due to uncaught exception of type booboo

Summary: The fuzz() function in Jackalope when using example/imageio.variants contain some over-release and/or ARC Issues. Is easier to show the File Information, Channels and Sub Sampling Crash with the PoC Flowers.exr using Python, then show the same issue in Sub Sampling that the Fuzz() function it encountering.

Reproduction of Sub Sampling Issue causing Abort() in libAppleEXR and all those Apple Apps on XNU.

>>> exr_file = OpenEXR.InputFile(file_path)
>>> header = exr_file.header()
>>> dw = header['dataWindow']
>>> size = (dw.max.x - dw.min.x + 1, dw.max.y - dw.min.y + 1)
>>> channels = header['channels'].keys()
>>> pt = Imath.PixelType(Imath.PixelType.FLOAT)
>>> channel_data = {c: np.frombuffer(exr_file.channel(c, pt), dtype=np.float32) for c in channels}
>>> print("Header Info:", header)
Header Info: {'channels': {'BY': HALF (2, 2), 'RY': HALF (2, 2), 'Y': HALF (1, 1)}, 'compression': B44_COMPRESSION, 'dataWindow': (0, 0) - (783, 733), 'displayWindow': (0, 0) - (783, 733), 'lineOrder': INCREASING_Y, 'owner': b'Copyright 2006 Industrial Light & Magic', 'pixelAspectRatio': 1.0, 'screenWindowCenter': (0.0, 0.0), 'screenWindowWidth': 1.0}
>>> print("Image Size:", size)
Image Size: (784, 734)
>>> print("Channels:", list(channels))
Channels: ['BY', 'RY', 'Y']
>>> channels = header['channels'].keys()
>>> pt = Imath.PixelType(Imath.PixelType.FLOAT)
>>> channel_data = {c: np.frombuffer(exr_file.channel(c, pt), dtype=np.float32) for c in channels}
>>> for c in channel_data:
...  channel_data[c] = channel_data[c].reshape(size[1], size[0])
...
Traceback (most recent call last):
  File "<stdin>", line 2, in <module>
ValueError: cannot reshape array of size 143864 into shape (734,784)
>>> exr_file.close()
>>> dw = header['dataWindow']
>>> size = (dw.max.x - dw.min.x + 1, dw.max.y - dw.min.y + 1)
>>> channels = header['channels'].keys()
>>> pt = Imath.PixelType(Imath.PixelType.FLOAT)
>>> channel_data = {c: np.frombuffer(exr_file.channel(c, pt), dtype=np.float32) for c in channels}
libc++abi: terminating due to uncaught exception of type Iex_3_2::ArgExc: Cannot find image attribute "dataWindow".
zsh: abort      python3

• In this contrived example to Reproduce the Bug in these Frameworks, the best guess is that the Image File has been Closed yet the Code continues and is a Use-After-Free Bug. [libEXR & libAppleEXR]

  Apple Bug - Potential Use-After-Free

  
  (lldb) target create "/System/Applications/Preview.app/Contents/MacOS/Preview"
  Current executable set to '/System/Applications/Preview.app/Contents/MacOS/Preview' (x86_64).
  (lldb) settings set -- target.run-args  "other_0xxxxxxxxxx7ce_0x0_1.exr"
  (lldb) r
  Process 61419 launched: '/System/Applications/Preview.app/Contents/MacOS/Preview' (x86_64)
  ,,,
  2023-11-18 13:00:52.496289-0500 Preview[61419:3692146] [UI] No ORIGINAL document attributes found (error: Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument")
  2023-11-18 13:00:52.652203-0500 Preview[61419:3692146] [UI] Fetching document attributes for URL file:///other_0xxxxxxxxxx7ce_0x0_1.exr
  2023-11-18 13:00:52.652311-0500 Preview[61419:3692146] [UI] No LAST MODIFIED document attributes found (error: Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument")
  2023-11-18 13:00:52.652442-0500 Preview[61419:3692146] [UI] No ORIGINAL document attributes found (error: Error Domain=NSPOSIXErrorDomain Code=22 "Invalid argument")
  libc++abi: terminating due to uncaught exception of type int
  Process 61419 stopped

• thread #11, queue = 'com.apple.root.user-interactive-qos', stop reason = signal SIGABRT frame #0: 0x00007ff8072a37ce libsystem_kernel.dylib__pthread_kill + 10 libsystem_kernel.dylib: -> 0x7ff8072a37ce <+10>: jae 0x7ff8072a37d8 ; <+20> 0x7ff8072a37d0 <+12>: movq %rax, %rdi 0x7ff8072a37d3 <+15>: jmp 0x7ff80729d1c4 ; cerror_nocancel 0x7ff8072a37d8 <+20>: retq Target 0: (Preview) stopped. (lldb) bt
• thread #11, queue = 'com.apple.root.user-interactive-qos', stop reason = signal SIGABRT
  • frame #0: 0x00007ff8072a37ce libsystem_kernel.dylib__pthread_kill + 10 frame #1: 0x00007ff8072dbf30 libsystem_pthread.dylibpthread_kill + 262 frame #2: 0x00007ff8071faa49 libsystem_c.dylibabort + 126 frame #3: 0x00007ff807294c72 libc++abi.dylibabort_message + 241 frame #4: 0x00007ff807286e1a libc++abi.dylibdemangling_terminate_handler() + 266 frame #5: 0x00007ff806f27376 libobjc.A.dylib_objc_terminate() + 104 frame #6: 0x00007ff8072940cb libc++abi.dylibstd::__terminate(void (*)()) + 6 frame #7: 0x00007ff807294086 libc++abi.dylibstd::terminate() + 54 frame #8: 0x00007ff806f385f1 libobjc.A.dylibobjc_terminate + 9 frame #9: 0x00007ff8071345e1 libdispatch.dylib_dispatch_client_callout2 + 28 frame #10: 0x00007ff807144e3e libdispatch.dylib_dispatch_apply_invoke + 214 frame #11: 0x00007ff80713459a libdispatch.dylib_dispatch_client_callout + 8 frame #12: 0x00007ff80714399d libdispatch.dylib_dispatch_root_queue_drain + 879 frame #13: 0x00007ff807143f22 libdispatch.dylib_dispatch_worker_thread2 + 152 frame #14: 0x00007ff8072d8c06 libsystem_pthread.dylib_pthread_wqthread + 262 frame #15: 0x00007ff8072d7b97 libsystem_pthread.dylibstart_wqthread + 15

    ## fuzz () function needs to workaround or patch the libc++abi bailouts to continue Fuzzing
    ### Example 1

    Instrumented module CoreSVG, code size: 233472 2023-12-05 15:17:26.322141-0500 test_imageio[29656:288121] Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store. Cannot back bitmap with 1152921504606846976 bytes per row, 100 height, and 1 planes.' First throw call stack: ( 0 CoreFoundation 0x00007ff8198e6fa6 exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff8193dc231 objc_exception_throw + 48 2 CoreFoundation 0x00007ff8198e6e46 +[NSException raise:format:] + 214 3 AppKit 0x00007ff81cfc4473 NSNewBitmapBackingStore + 141 4 AppKit 0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609 5 AppKit 0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591 6 AppKit 0x00007ff81cfa866f 48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87 7 AppKit Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store. Cannot back bitmap with 1152921504606846976 bytes per row, 100 height, and 1 planes.' First throw call stack: ( 0 CoreFoundation 0x00007ff8198e6fa6 exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff8193dc231 objc_exception_throw + 48 2 CoreFoundation 0x00007ff8198e6e46 +[NSException raise:format:] + 214 3 AppKit 0x00007ff81cfc4473 NSNewBitmapBackingStore + 141 4 AppKit 0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609 5 AppKit 0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591 6 AppKit 0x00007ff81cfa866f 48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87 7 AppKit 0x00007ff81cfa82cc -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 123 8 AppKit 0x00007ff81cfa791a -[NSImage CGImageForProposedRect:context:hints:] + 589 9 test_imageio 0x00000001000037e2 fuzz + 418 10 ??? 0x0000000000000f22 0x0 + 3874 11 dyld 0x00007ff8194103a6 start + 1942 ) libc++abi: terminating due to uncaught exception of type NSException Exception at address 0x7ff8197607ce

    ### Example 2

    Instrumented module CoreSVG, code size: 233472 2023-12-05 15:17:37.448778-0500 test_imageio[29744:288395] Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store. Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.' First throw call stack: ( 0 CoreFoundation 0x00007ff8198e6fa6 exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff8193dc231 objc_exception_throw + 48 2 CoreFoundation 0x00007ff8198e6e46 +[NSException raise:format:] + 214 3 AppKit 0x00007ff81cfc4473 NSNewBitmapBackingStore + 141 4 AppKit 0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609 5 AppKit 0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591 6 AppKit 0x00007ff81cfa866f 48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87 7 AppKit Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store. Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.' First throw call stack: ( 0 CoreFoundation 0x00007ff8198e6fa6 exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff8193dc231 objc_exception_throw + 48 2 CoreFoundation 0x00007ff8198e6e46 +[NSException raise:format:] + 214 3 AppKit 0x00007ff81cfc4473 NSNewBitmapBackingStore + 141 4 AppKit 0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609 5 AppKit 0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591 6 AppKit 0x00007ff81cfa866f 48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87 7 AppKit 0x00007ff81cfa82cc -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 123 8 AppKit 0x00007ff81cfa791a -[NSImage CGImageForProposedRect:context:hints:] + 589 9 test_imageio 0x00000001000037e2 fuzz + 418 10 ??? 0x0000000000000f22 0x0 + 3874 11 dyld 0x00007ff8194103a6 start + 1942 ) libc++abi: terminating due to uncaught exception of type NSException Exception at address 0x7ff8197607ce

    ### Example 3

    Instrumented module CoreSVG, code size: 233472 2023-12-05 15:17:37.448778-0500 test_imageio[29744:288395] Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store. Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.' First throw call stack: ( 0 CoreFoundation 0x00007ff8198e6fa6 exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff8193dc231 objc_exception_throw + 48 2 CoreFoundation 0x00007ff8198e6e46 +[NSException raise:format:] + 214 3 AppKit 0x00007ff81cfc4473 NSNewBitmapBackingStore + 141 4 AppKit 0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609 5 AppKit 0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591 6 AppKit 0x00007ff81cfa866f 48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87 7 AppKit Terminating app due to uncaught exception 'NSBadBitmapParametersException', reason: 'Overflow allocating bitmap backing store. Cannot back bitmap with 448 bytes per row, -9223372036854775808 height, and 1 planes.' First throw call stack: ( 0 CoreFoundation 0x00007ff8198e6fa6 exceptionPreprocess + 242 1 libobjc.A.dylib 0x00007ff8193dc231 objc_exception_throw + 48 2 CoreFoundation 0x00007ff8198e6e46 +[NSException raise:format:] + 214 3 AppKit 0x00007ff81cfc4473 NSNewBitmapBackingStore + 141 4 AppKit 0x00007ff81cfc3fed +[NSCGImageSnapshotRep _lockFocusForCreatingSnapshot:withRect:context:hints:flipped:] + 609 5 AppKit 0x00007ff81cfcbb0d -[NSImageRep CGImageForProposedRect:context:hints:] + 591 6 AppKit 0x00007ff81cfa866f 48-[NSImage CGImageForProposedRect:context:hints:]_block_invoke + 87 7 AppKit 0x00007ff81cfa82cc -[NSImage _usingBestRepresentationForRect:context:hints:body:] + 123 8 AppKit 0x00007ff81cfa791a -[NSImage CGImageForProposedRect:context:hints:] + 589 9 test_imageio 0x00000001000037e2 fuzz + 418 10 ??? 0x0000000000000f22 0x0 + 3874 11 dyld 0x00007ff8194103a6 start + 1942 ) libc++abi: terminating due to uncaught exception of type NSException Exception at address 0x7ff8197607ce

    
    ### Comment 

• This appears less in the Code of https://raw.githubusercontent.com/xsscx/macos-research/main/code/imageio/imageio-test-003.m than the Code from Distribution
• It would be helpful to drop into lldb See Example https://github.com/xsscx/macos-research/issues/2
• This Abort() issue is on both OpenEXR and libAppleEXR

[xsscx]

Now using https://github.com/xsscx/macos-research/blob/main/code/imageio/imageio-test-003.m for A/B/C/D Testing. Needs more time to Fuzz the Fuzz() function for Abort().