valgrind errors with unittest IlmImfCtlTest - memory leak - 224 bytes directly lost, 48 bytes indirectly lost

[michaeldsmith]

compiled in debug mode first before running valgrind

cd build
rm -R *
cmake -DCMAKE_BUILD_TYPE=Debug ..
make

valgrind detects bytes in use at exit: 272 bytes in 3 blocks

1: + cd ./unittest/IlmImfCtl/
1: + valgrind -s --error-exitcode=1 --leak-check=full --track-origins=yes --show-leak-kinds=all ./IlmImfCtlTest
1: ==765== Memcheck, a memory error detector
1: ==765== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
1: ==765== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
1: ==765== Command: ./IlmImfCtlTest
1: ==765== 
1: 
1: Testing function argument types
1: ok
1: 
1: Testing function argument sources and destinations
1: 	number of threads = 0
1: 	number of threads = 1
1: 	number of threads = 2
1: 	number of threads = 3
1: ok
1: 
1: ==765== 
1: ==765== HEAP SUMMARY:
1: ==765==     in use at exit: 272 bytes in 3 blocks
1: ==765==   total heap usage: 4,493 allocs, 4,490 frees, 3,494,682 bytes allocated
1: ==765== 
1: ==765== 16 bytes in 1 blocks are indirectly lost in loss record 1 of 3
1: ==765==    at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
1: ==765==    by 0x53C6885: void std::vector<IlmThread_2_3::Task*, std::allocator<IlmThread_2_3::Task*> >::_M_realloc_insert<IlmThread_2_3::Task* const&>(__gnu_cxx::__normal_iterator<IlmThread_2_3::Task**, std::vector<IlmThread_2_3::Task*, std::allocator<IlmThread_2_3::Task*> > >, IlmThread_2_3::Task* const&) (in /usr/lib/x86_64-linux-gnu/libIlmThread-2_3.so.24.0.0)
1: ==765==    by 0x53C628D: ??? (in /usr/lib/x86_64-linux-gnu/libIlmThread-2_3.so.24.0.0)
1: ==765==    by 0x53C619F: IlmThread_2_3::ThreadPool::addTask(IlmThread_2_3::Task*) (in /usr/lib/x86_64-linux-gnu/libIlmThread-2_3.so.24.0.0)
1: ==765==    by 0x4A1A138: ImfCtl::applyTransforms(Ctl::Interpreter&, std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, Imath_2_3::Box<Imath_2_3::Vec2<int> > const&, Imf_2_3::Header const&, Imf_2_3::Header const&, Imf_2_3::FrameBuffer const&, Imf_2_3::Header&, Imf_2_3::FrameBuffer const&, int) (ImfCtlApplyTransforms.cpp:523)
1: ==765==    by 0x117610: (anonymous namespace)::runTest(Ctl::Interpreter&, int) (testSourceDestination.cpp:176)
1: ==765==    by 0x118079: testSourceDestination() (testSourceDestination.cpp:239)
1: ==765==    by 0x116943: main (main.cpp:72)
1: ==765== 
1: ==765== 32 bytes in 1 blocks are indirectly lost in loss record 2 of 3
1: ==765==    at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
1: ==765==    by 0x53C5871: ??? (in /usr/lib/x86_64-linux-gnu/libIlmThread-2_3.so.24.0.0)
1: ==765==    by 0x53C5BC0: ??? (in /usr/lib/x86_64-linux-gnu/libIlmThread-2_3.so.24.0.0)
1: ==765==    by 0x53C66AF: IlmThread_2_3::ThreadPool::setNumThreads(int) (in /usr/lib/x86_64-linux-gnu/libIlmThread-2_3.so.24.0.0)
1: ==765==    by 0x116A24: (anonymous namespace)::runTest(Ctl::Interpreter&, int) (testSourceDestination.cpp:80)
1: ==765==    by 0x11808A: testSourceDestination() (testSourceDestination.cpp:240)
1: ==765==    by 0x116943: main (main.cpp:72)
1: ==765== 
1: ==765== 272 (224 direct, 48 indirect) bytes in 1 blocks are definitely lost in loss record 3 of 3
1: ==765==    at 0x483BE63: operator new(unsigned long) (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
1: ==765==    by 0x53C66D1: IlmThread_2_3::ThreadPool::setNumThreads(int) (in /usr/lib/x86_64-linux-gnu/libIlmThread-2_3.so.24.0.0)
1: ==765==    by 0x116A24: (anonymous namespace)::runTest(Ctl::Interpreter&, int) (testSourceDestination.cpp:80)
1: ==765==    by 0x118068: testSourceDestination() (testSourceDestination.cpp:238)
1: ==765==    by 0x116943: main (main.cpp:72)
1: ==765== 
1: ==765== LEAK SUMMARY:
1: ==765==    definitely lost: 224 bytes in 1 blocks
1: ==765==    indirectly lost: 48 bytes in 2 blocks
1: ==765==      possibly lost: 0 bytes in 0 blocks
1: ==765==    still reachable: 0 bytes in 0 blocks
1: ==765==         suppressed: 0 bytes in 0 blocks
1: ==765== 
1: ==765== ERROR SUMMARY: 1 errors from 1 co
```ntexts (suppressed: 0 from 0)

[michaeldsmith]

I think this memory leak reported by valgrind in IlmImfCtlTest is actually a bug in ilmbase v2.3. I do not think it is a bug in the CTL codebase.

ilmbase v2.3 is currently available via Ubuntu 20.04 package manager, i.e. sudo apt-get install libilmbase-dev

This page https://packages.ubuntu.com/focal/libilmbase-dev provides the ilmbase v2.3 code that is available via Ubuntu 20.04 package manager, it is identical to the source code within the directory IlmBase available from source https://github.com/AcademySoftwareFoundation/openexr/tree/RB-2.3

Building/installing openexr/ilmbase v2.5 from source https://github.com/AcademySoftwareFoundation/openexr/tree/RB-2.5 on Ubuntu 20.04 first before compiling and running valgrind on /CTL/unittest/IlmImfCtlTest fixes this memory leak, with valgrind reporting no leaks when using openexr/ilmbase v2.5 compiled from source.

The attached Dockerfile.zip contains a Dockerfile that builds openexr/ilmbase v2.5 from source on Ubuntu 20.04 before building CTL

I expect this is the same CVE-2018-18443 CVE-2018-18443 bug as reported in aswf/openexr issue 350 AcademySoftwareFoundation/openexr#350

It looks like aswf/openexr issue 350 AcademySoftwareFoundation/openexr#350 was fixed by aswf/openexr pull request 412 AcademySoftwareFoundation/openexr#412 with commit 5fa930b by @kdt3rd This fix was included in aswf openexr/ilmbase release v2.4.0, but has not been backported to openexr/ilmbase v2.3 or v2.2 that I believe are still widely deployed.