Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV exrmakepreview in ImfTiledOutputFile.cpp:458 #494

Closed
strongcourage opened this issue Jul 24, 2019 · 4 comments
Closed

SEGV exrmakepreview in ImfTiledOutputFile.cpp:458 #494

strongcourage opened this issue Jul 24, 2019 · 4 comments
Labels
Bug A bug in the source code

Comments

@strongcourage
Copy link

Hi,

I found a crash due to a heap buffer overflow bug on exrmakepreview (the latest commit 9410823 on master).

PoC: https://github.com/strongcourage/PoCs/blob/master/openexr_9410823/PoC_hbo_writeTileData
Command: exrmakepreview -v $PoC /dev/null

ASAN says:

==22567==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000e178 at pc 0x7f2f375c522a bp 0x7ffe478e5550 sp 0x7ffe478e5540
READ of size 8 at 0x60400000e178 thread T0
    #0 0x7f2f375c5229 in Imf_2_3::TileOffsets::operator()(int, int, int, int) (/home/dungnguyen/gueb-testing/openexr/obj-asan/OpenEXR/IlmImf/libIlmImf-2_3.so.24+0x13e229)
    #1 0x7f2f375a8eac in writeTileData /home/dungnguyen/gueb-testing/openexr/OpenEXR/IlmImf/ImfTiledOutputFile.cpp:458
    #2 0x7f2f375ae164 in Imf_2_3::TiledOutputFile::copyPixels(Imf_2_3::TiledInputFile&) /home/dungnguyen/gueb-testing/openexr/OpenEXR/IlmImf/ImfTiledOutputFile.cpp:1534
    #3 0x40307b in makePreview(char const*, char const*, int, float, bool) /home/dungnguyen/gueb-testing/openexr/OpenEXR/exrmakepreview/makePreview.cpp:176
    #4 0x402187 in main /home/dungnguyen/gueb-testing/openexr/OpenEXR/exrmakepreview/main.cpp:185
    #5 0x7f2f3659582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x402428 in _start (/home/dungnguyen/PoCs/openexr_9410823/exrmakepreview-asan+0x402428)

Thanks,
Manh Dung
@strongcourage
Copy link
Author

This bug also causes exrstdattr crash.

@kdt3rd kdt3rd added the Bug A bug in the source code label Jul 24, 2019
@kdt3rd
Copy link
Contributor

kdt3rd commented Jul 24, 2019

I am able to reproduce. thank you for the report

peterhillman added a commit to peterhillman/openexr that referenced this issue Jul 25, 2019
@peterhillman
Fix for AcademySoftwareFoundation#494: validate tile coordinates when…
a651295 
… doing copyPixels
kdt3rd pushed a commit that referenced this issue Jul 25, 2019
@peterhillman @kdt3rd
Fix for #494: validate tile coordinates when doing copyPixels
6bb3671
@kdt3rd
Copy link
Contributor

kdt3rd commented Jul 25, 2019

This should be fixed and merged to master

@kdt3rd kdt3rd closed this as completed Jul 25, 2019
@carnil
Copy link

carnil commented Dec 10, 2020

CVE-2020-16589 seems to have been assigned for this issue.

DominicJacksonBFX pushed a commit to boris-fx/mocha-openexr that referenced this issue Jun 22, 2022
@peterhillman @DominicJacksonBFX
Fix for AcademySoftwareFoundation#494: validate tile coordinates when…
fa8b02b 
… doing copyPixels
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug A bug in the source code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @kdt3rd @strongcourage