Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow #271

Closed
SmileBugs opened this issue Mar 2, 2018 · 0 comments
Closed

heap-buffer-overflow #271

SmileBugs opened this issue Mar 2, 2018 · 0 comments
Labels
Bug A bug in the source code

Comments

@SmileBugs
Copy link

ASAN OUTPUT

root@v22017125319057172:~# exrmakepreview -v  ./poc  1
generating preview image
=================================================================
==11705==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4a00531 at pc 0xb6c97854 bp 0xbf9ee4f8 sp 0xbf9ee4e8
READ of size 1 at 0xb4a00531 thread T0
    #0 0xb6c97853 in Imf_2_2::CharPtrIO::readChars(char const*&, char*, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfIO.h:247
    #1 0xb6c97853 in void Imf_2_2::Xdr::readUnsignedChars<Imf_2_2::CharPtrIO, char const*>(char const*&, unsigned char*, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfXdr.h:326
    #2 0xb6c97853 in void Imf_2_2::Xdr::read<Imf_2_2::CharPtrIO, char const*>(char const*&, unsigned short&) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfXdr.h:663
    #3 0xb6c97853 in Imf_2_2::PizCompressor::uncompress(char const*, int, Imath_2_2::Box<Imath_2_2::Vec2<int> >, char const*&) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfPizCompressor.cpp:551
    #4 0xb6c97bf8 in Imf_2_2::PizCompressor::uncompress(char const*, int, int, char const*&) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfPizCompressor.cpp:288
    #5 0xb6d61254 in execute /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:541
    #6 0xb67839fe in IlmThread_2_2::ThreadPool::addTask(IlmThread_2_2::Task*) (/usr/lib/i386-linux-gnu/libIlmThread-2_2.so.12+0x29fe)
    #7 0xb6783e90 in IlmThread_2_2::ThreadPool::addGlobalTask(IlmThread_2_2::Task*) (/usr/lib/i386-linux-gnu/libIlmThread-2_2.so.12+0x2e90)
    #8 0xb6d6f330 in Imf_2_2::ScanLineInputFile::readPixels(int, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1617
    #9 0xb6c207ca in Imf_2_2::InputFile::readPixels(int, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfInputFile.cpp:815
    #10 0xb6c6586f in Imf_2_2::RgbaInputFile::readPixels(int, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfRgbaFile.cpp:1302
    #11 0x804a995 in generatePreview /opt/lib/openexr-2.2.1/OpenEXR/exrmakepreview/makePreview.cpp:114
    #12 0x804a995 in makePreview(char const*, char const*, int, float, bool) /opt/lib/openexr-2.2.1/OpenEXR/exrmakepreview/makePreview.cpp:162
    #13 0x8049cce in main /opt/lib/openexr-2.2.1/OpenEXR/exrmakepreview/main.cpp:185
    #14 0xb67db636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #15 0x804a34b  (/usr/bin/exrmakepreview+0x804a34b)

0xb4a00531 is located 0 bytes to the right of 1-byte region [0xb4a00530,0xb4a00531)
allocated by thread T0 here:
    #0 0xb72b6dee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
    #1 0xb6d74f3b in EXRAllocAligned /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfSystemSpecific.h:139
    #2 0xb6d74f3b in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1132
    #3 0xb6d76fdd in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190
    #4 0xb6c18af7 in Imf_2_2::InputFile::initialize() /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfInputFile.cpp:555
    #5 0xb6c1b77c in Imf_2_2::InputFile::InputFile(char const*, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfInputFile.cpp:382
    #6 0xb6c667ad in Imf_2_2::RgbaInputFile::RgbaInputFile(char const*, int) /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfRgbaFile.cpp:1166
    #7 0x804a786 in generatePreview /opt/lib/openexr-2.2.1/OpenEXR/exrmakepreview/makePreview.cpp:105
    #8 0x804a786 in makePreview(char const*, char const*, int, float, bool) /opt/lib/openexr-2.2.1/OpenEXR/exrmakepreview/makePreview.cpp:162
    #9 0x8049cce in main /opt/lib/openexr-2.2.1/OpenEXR/exrmakepreview/main.cpp:185
    #10 0xb67db636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/lib/openexr-2.2.1/OpenEXR/IlmImf/ImfIO.h:247 Imf_2_2::CharPtrIO::readChars(char const*&, char*, int)
Shadow bytes around the buggy address:
  0x36940050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36940090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x369400a0: fa fa 00 00 fa fa[01]fa fa fa 01 fa fa fa 01 fa
  0x369400b0: fa fa 00 fa fa fa 00 04 fa fa 00 fa fa fa 00 fa
  0x369400c0: fa fa 00 fa fa fa 00 fa fa fa 04 fa fa fa fd fa
  0x369400d0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
  0x369400e0: fa fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x369400f0: fa fa 00 fa fa fa 00 04 fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==11705==ABORTING

POC

poc.zip

Version

openexr-2.2.1

Found by: Wang Yan
@cary-ilm cary-ilm added the Bug A bug in the source code label Jun 13, 2019
peterhillman added a commit to peterhillman/openexr that referenced this issue Jul 12, 2019
@peterhillman
address AcademySoftwareFoundation#271: catch scanlines with negative …
7031360 
…sizes
peterhillman added a commit that referenced this issue Jul 15, 2019
@peterhillman
address #271: catch scanlines with negative sizes
849c616
@peterhillman peterhillman mentioned this issue Jul 15, 2019
Closed
DominicJacksonBFX pushed a commit to boris-fx/mocha-openexr that referenced this issue Jun 22, 2022
@peterhillman @DominicJacksonBFX
address AcademySoftwareFoundation#271: catch scanlines with negative …
4a73ad0 
…sizes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug A bug in the source code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peterhillman @cary-ilm @SmileBugs