Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out Of Memory in Pxr24Compressor (79678745) #290

Closed
Google-Autofuzz opened this issue May 16, 2018 · 1 comment
Closed

Out Of Memory in Pxr24Compressor (79678745) #290

Google-Autofuzz opened this issue May 16, 2018 · 1 comment
Labels
Bug A bug in the source code

Comments

@Google-Autofuzz
Copy link

Hello OpenEXR team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
OpenEXR (tested with revision * develop 0cf11d7).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
unzip artifacts_79678745.zip
docker build --build-arg SANITIZER=address --tag=autofuzz-OpenEXR-79678745 autofuzz_79678745
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_79678745/poc-c9457552c1c04ea0f98154bc433a5f5d0421a7e705e6f396aba4339568473435_min:/tmp/poc autofuzz-OpenEXR-79678745 "openexr/OpenEXR/exrenvmap/exrenvmap" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_79678745/poc-c9457552c1c04ea0f98154bc433a5f5d0421a7e705e6f396aba4339568473435_min:/tmp/poc -it autofuzz-OpenEXR-79678745

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

==7==AddressSanitizer's allocator is terminating the process instead of returning 0
==7==If you don't like this behavior set allocator_may_return_null=1
==7==AddressSanitizer CHECK failed: /build/llvm-toolchain-5.0-5.0.2~svn328729/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
    #0 0x4e99cf in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/fuzzing/openexr/OpenEXR/exrenvmap/.libs/exrenvmap+0x4e99cf)
    #1 0x505895 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/fuzzing/openexr/OpenEXR/exrenvmap/.libs/exrenvmap+0x505895)
    #2 0x4eef76 in __sanitizer::ReportAllocatorCannotReturnNull() (/fuzzing/openexr/OpenEXR/exrenvmap/.libs/exrenvmap+0x4eef76)
    #3 0x4eefff in __sanitizer::DieOnFailure::OnOOM() (/fuzzing/openexr/OpenEXR/exrenvmap/.libs/exrenvmap+0x4eefff)
    #4 0x515aa4 in operator new[](unsigned long) (/fuzzing/openexr/OpenEXR/exrenvmap/.libs/exrenvmap+0x515aa4)
    #5 0x7f10fe0dbb68 in Imf_2_2::Pxr24Compressor::Pxr24Compressor(Imf_2_2::Header const&, unsigned long, unsigned long) /fuzzing/openexr/OpenEXR/IlmImf/ImfPxr24Compressor.cpp:201:18
    #6 0x7f10fe00b449 in Imf_2_2::newCompressor(Imf_2_2::Compression, unsigned long, Imf_2_2::Header const&) /fuzzing/openexr/OpenEXR/IlmImf/ImfCompressor.cpp:152:13
    #7 0x7f10fe075b7f in Imf_2_2::ScanLineInputFile::initialize(Imf_2_2::Header const&) /fuzzing/openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1117:53
    #8 0x7f10fe07696b in Imf_2_2::ScanLineInputFile::ScanLineInputFile(Imf_2_2::Header const&, Imf_2_2::IStream*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfScanLineInputFile.cpp:1190:5
    #9 0x7f10fdfdc608 in Imf_2_2::InputFile::initialize() /fuzzing/openexr/OpenEXR/IlmImf/ImfInputFile.cpp:553:32
    #10 0x7f10fdfdb430 in Imf_2_2::InputFile::InputFile(char const*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfInputFile.cpp:382:13
    #11 0x7f10fdfff023 in Imf_2_2::RgbaInputFile::RgbaInputFile(char const*, int) /fuzzing/openexr/OpenEXR/IlmImf/ImfRgbaFile.cpp:1166:21
    #12 0x51fda9 in (anonymous namespace)::readSingleImage(char const*, float, float, Imf_2_2::Envmap, bool, EnvmapImage&, Imf_2_2::Header&, Imf_2_2::RgbaChannels&) /fuzzing/openexr/OpenEXR/exrenvmap/readInputImage.cpp:78:19
    #13 0x51a473 in main /fuzzing/openexr/OpenEXR/exrenvmap/main.cpp:471:9
    #14 0x7f10fc9b42e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #15 0x4215e9 in _start (/fuzzing/openexr/OpenEXR/exrenvmap/.libs/exrenvmap+0x4215e9)

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team

artifacts_79678745.zip
@cary-ilm cary-ilm added the Bug A bug in the source code label Jun 13, 2019
@peterhillman
Copy link
Contributor

This POC now aborts with 'Invalid size field in header attribute'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug A bug in the source code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peterhillman @cary-ilm @Google-Autofuzz