Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302 #3947

Closed
xiaoxiaoafeifei opened this issue Aug 18, 2023 · 1 comment · Fixed by #3948
Closed

runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302 #3947

xiaoxiaoafeifei opened this issue Aug 18, 2023 · 1 comment · Fixed by #3948

Comments

@xiaoxiaoafeifei
Copy link
Contributor

Describe the bug:
Hi, I found runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302

To Reproduce:
Steps to reproduce the behavior:

  1. CC=afl-clang-fast CXX=afl-clang-fast++ CFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" CXXFLAGS="-gdwarf-2 -g3 -O0 -fsanitize=address -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE_CXX_STANDARD=17
  2. make && make install
  3. iconvert --inplace poc.bmp
    poc file:
    poc.bmp.zip

Evidence:
src/bmp.imageio/bmpinput.cpp:302:41: runtime error: signed integer overflow: 10240 * 276095 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /root/fuzz/fuzz_oiio/oiio/src/bmp.imageio/bmpinput.cpp:302:41 in
terminate called after throwing an instance of 'std::length_error'
what(): vector::_M_default_append
0# OpenImageIO_v2_5_2::Sysutil::stacktraceabi:cxx11 in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO_Util.so.2.5.2
1# 0x00007F5AA4E8B5CC in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO_Util.so.2.5.2
2# 0x00007F5AA4532520 in /lib/x86_64-linux-gnu/libc.so.6
3# pthread_kill in /lib/x86_64-linux-gnu/libc.so.6
4# raise in /lib/x86_64-linux-gnu/libc.so.6
5# abort in /lib/x86_64-linux-gnu/libc.so.6
6# 0x00007F5AA48C1B9E in /lib/x86_64-linux-gnu/libstdc++.so.6
7# 0x00007F5AA48CD20C in /lib/x86_64-linux-gnu/libstdc++.so.6
8# 0x00007F5AA48CD277 in /lib/x86_64-linux-gnu/libstdc++.so.6
9# 0x00007F5AA48CD4D8 in /lib/x86_64-linux-gnu/libstdc++.so.6
10# std::__throw_length_error(char const*) in /lib/x86_64-linux-gnu/libstdc++.so.6
11# 0x00007F5AA64A29AC in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
12# 0x00007F5AA64A2281 in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
13# 0x00007F5AA733A3BB in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
14# 0x00007F5AA73355FE in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
15# 0x00007F5AA7332396 in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
16# OpenImageIO_v2_5_2::ImageInput::create(OpenImageIO_v2_5_2::basic_string_view<char, std::char_traits >, bool, OpenImageIO_v2_5_2::ImageSpec const*, OpenImageIO_v2_5_2::Filesystem::IOProxy*, OpenImageIO_v2_5_2::basic_string_view<char, std::char_traits >) in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
17# OpenImageIO_v2_5_2::ImageInput::open(std::__cxx11::basic_string<char, std::char_traits, std::allocator > const&, OpenImageIO_v2_5_2::ImageSpec const*, OpenImageIO_v2_5_2::Filesystem::IOProxy*) in /root/fuzz/fuzz_oiio/oiio/build/lib/libOpenImageIO.so.2.5.2
18# 0x000055E91B20C502 in ../../../oiio/build/bin/iconvert
19# 0x000055E91B2133A1 in ../../../oiio/build/bin/iconvert
20# 0x00007F5AA4519D90 in /lib/x86_64-linux-gnu/libc.so.6
21# __libc_start_main in /lib/x86_64-linux-gnu/libc.so.6
22# 0x000055E91B14BC55 in ../../../oiio/build/bin/iconvert
Aborted

Platform information:
OIIO branch/version: 2.4.14.0
OS: Linux
C++ compiler: clang-14.0.6
@xiaoxiaoafeifei xiaoxiaoafeifei mentioned this issue Aug 18, 2023
Merged
lgritz pushed a commit that referenced this issue Aug 20, 2023
@xiaoxiaoafeifei
fix(bmp): fix signed integer overflow when computing total number of …
15750af 
…pixels (#3948)

fix #3947: runtime error: signed integer overflow in file
src/bmp.imageio/bmpinput.cpp:302
lgritz pushed a commit to lgritz/OpenImageIO that referenced this issue Aug 20, 2023
@xiaoxiaoafeifei @lgritz
fix(bmp): fix signed integer overflow when computing total number of …
672ed4c 
…pixels (AcademySoftwareFoundation#3948)

fix AcademySoftwareFoundation#3947: runtime error: signed integer overflow in file
src/bmp.imageio/bmpinput.cpp:302
@xiaoxiaoafeifei
Copy link
Contributor Author

This issue was assigned CVE-2023-42295

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix runtime error: signed integer overflow in file src/bmp.imageio/bmpinput.cpp:302
1 participant
@xiaoxiaoafeifei