Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]Segmentation-violation bug at src/include/OpenImageIO/string_view.h:262 in openimageio #4551

Open
Frank-Z7 opened this issue Dec 2, 2024 · 2 comments · May be fixed by #4557
Open

[BUG]Segmentation-violation bug at src/include/OpenImageIO/string_view.h:262 in openimageio #4551

Frank-Z7 opened this issue Dec 2, 2024 · 2 comments · May be fixed by #4557

Comments

@Frank-Z7
Copy link

Frank-Z7 commented Dec 2, 2024

Description

Dear developers,

We discovered a Segmentation-violation bug in src/include/OpenImageIO/string_view.h:262 while fuzzing iconvert.

The latest version also has this vulnerability.

Version

# ./bin/oiiotool --version
3.1.0.0dev

# ./bin/iconvert -v
iconvert: Must have both an input and output filename specified.
iconvert -- copy images with format conversions and other alterations
OpenImageIO 3.1.0.0dev http://www.openimageio.org

PoC

poc2iconvert: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc2iconvert

Reproduction

git clone https://github.com/AcademySoftwareFoundation/OpenImageIO.git openimageio
cd openimageio
mkdir build1
cd build1
CFLAGS="-g3 -fsanitize=address -O0 -fno-omit-frame-pointer" CXXFLAGS="-g3 -fsanitize=address -O0 -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE_CXX_STANDARD=17 -DOpenImageIO_BUILD_MISSING_DEPS=all
make -j20

./bin/iconvert -g 0.7 --separate --rotccw poc2iconvert tmp.png

Address Sanitizer log

=================================================================
==659943==ERROR: AddressSanitizer: SEGV on unknown address 0x61f100014fbc (pc 0x7f26e1af481e bp 0x7fff7fa986f0 sp 0x7fff7fa97e68 T0)
==659943==The signal is caused by a READ memory access.
    #0 0x7f26e1af481e  (/lib/x86_64-linux-gnu/libc.so.6+0x1ae81e)
    #1 0x7f26e5fce2e9 in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:881
    #2 0x7f26e5fcebc6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
    #3 0x7f26e5fcebc6 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
    #4 0x7f26e31f346d in std::char_traits<char>::compare(char const*, char const*, unsigned long) /usr/include/c++/11/bits/char_traits.h:389
    #5 0x7f26e31f346d in OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >::compare(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) const /openimageio/src/include/OpenImageIO/string_view.h:262
    #6 0x7f26e31f346d in OpenImageIO_v3_1_0::operator==(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/include/OpenImageIO/string_view.h:393
    #7 0x7f26e31f346d in OpenImageIO_v3_1_0::decode_icc_profile(OpenImageIO_v3_1_0::span<unsigned char const, 18446744073709551615ul>, OpenImageIO_v3_1_0::ImageSpec&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /openimageio/src/libOpenImageIO/icc.cpp:319
    #8 0x7f26e38fa7eb in OpenImageIO_v3_1_0::JpgInput::read_icc_profile(jpeg_decompress_struct*, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:438
    #9 0x7f26e3902fd3 in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:363
    #10 0x7f26e390744c in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&, OpenImageIO_v3_1_0::ImageSpec const&) /openimageio/src/jpeg.imageio/jpeginput.cpp:162
    #11 0x7f26e3403740 in OpenImageIO_v3_1_0::ImageInput::create(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, bool, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libOpenImageIO/imageioplugin.cpp:746
    #12 0x7f26e337f1d4 in OpenImageIO_v3_1_0::ImageInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*) /openimageio/src/libOpenImageIO/imageinput.cpp:154
    #13 0x5572d54cb97e in convert_file /openimageio/src/iconvert/iconvert.cpp:333
    #14 0x5572d54ba80d in main /openimageio/src/iconvert/iconvert.cpp:525
    #15 0x7f26e196fd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x7f26e196fe3f in __libc_start_main_impl ../csu/libc-start.c:392
    #17 0x5572d54bb4b4 in _start (/openimageio/build1/bin/iconvert+0xc4b4)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x1ae81e)
==659943==ABORTING

Environment

ubuntu:22.04
gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
clang version 14.0.0-1ubuntu1.1
afl-fuzz++4.22a

Thanks for your time!

@lgritz
Copy link
Collaborator

lgritz commented Dec 2, 2024

Thanks for the report. I've been looking at this today and I think I will have a fix to post shortly.

@lgritz lgritz linked a pull request Dec 3, 2024 that will close this issue
@lgritz
Copy link
Collaborator

lgritz commented Dec 3, 2024

Proposed fix in #4557

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants