Description
Hello OpenEXR team,
I have identified an issue affecting OpenEXR by using AFL fuzz.
root@kali:/openexr# exrmakepreview -v fuzzOut1/crashes/id:000000,sig:11,src:000000,op:flip4,pos:243 11/openexr# valgrind -v --tool=memcheck --leak-check=full exrmakepreview -v fuzzOut1/crashes/id:000000,sig:11,src:000000,op:flip4,pos:243 11
generating preview image
Segmentation fault
root@kali:
==56888== Memcheck, a memory error detector
==56888== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==56888== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==56888== Command: exrmakepreview -v fuzzOut1/crashes/id:000000,sig:11,src:000000,op:flip4,pos:243 11
==56888==
--56888-- Valgrind options:
--56888-- -v
--56888-- --tool=memcheck
--56888-- --leak-check=full
--56888-- Contents of /proc/version:
--56888-- Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0-25)) #1 SMP Debian 4.17.8-1kali1 (2018-07-24)
--56888--
--56888-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx-avx2-bmi
--56888-- Page sizes: currently 4096, max supported 4096
--56888-- Valgrind library directory: /usr/lib/valgrind
--56888-- Reading syms from /usr/local/bin/exrmakepreview
--56888-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.27.so
--56888-- Considering /usr/lib/debug/.build-id/dc/5cb16f5e644116cac64a4c3f5da4d081b81a4f.debug ..
--56888-- .. build-id is valid
--56888-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--56888-- Considering /usr/lib/valgrind/memcheck-amd64-linux ..
--56888-- .. CRC mismatch (computed 7680f3df wanted 92e0f93c)
--56888-- Considering /usr/lib/debug/usr/lib/valgrind/memcheck-amd64-linux ..
--56888-- .. CRC is valid
--56888-- object doesn't have a dynamic symbol table
--56888-- Scheduler: using generic scheduler lock implementation.
--56888-- Reading suppressions file: /usr/lib/valgrind/default.supp
==56888== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-56888-by-root-on-???
==56888== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-56888-by-root-on-???
==56888== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-56888-by-root-on-???
==56888==
==56888== TO CONTROL THIS PROCESS USING vgdb (which you probably
==56888== don't want to do, unless you know exactly what you're doing,
==56888== or are doing some strange experiment):
==56888== /usr/lib/valgrind/../../bin/vgdb --pid=56888 ...command...
==56888==
==56888== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==56888== /path/to/gdb exrmakepreview
==56888== and then give GDB the following command
==56888== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=56888
==56888== --pid is optional if only one valgrind process is running
==56888==
--56888-- REDIR: 0x401e290 (ld-linux-x86-64.so.2:strlen) redirected to 0x58061781 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--56888-- REDIR: 0x401e070 (ld-linux-x86-64.so.2:index) redirected to 0x5806179b (vgPlain_amd64_linux_REDIR_FOR_index)
--56888-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--56888-- Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--56888-- .. CRC mismatch (computed 66a2a561 wanted 3789c7eb)
--56888-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--56888-- .. CRC is valid
--56888-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--56888-- Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--56888-- .. CRC mismatch (computed 8487a070 wanted 8af30a91)
--56888-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--56888-- .. CRC is valid
==56888== WARNING: new redirection conflicts with existing -- ignoring it
--56888-- old: 0x0401e290 (strlen ) R-> (0000.0) 0x58061781 vgPlain_amd64_linux_REDIR_FOR_strlen
--56888-- new: 0x0401e290 (strlen ) R-> (2007.0) 0x04838a60 strlen
--56888-- REDIR: 0x401aab0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4839b90 (strcmp)
--56888-- REDIR: 0x401e7d0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x483d1a0 (mempcpy)
--56888-- Reading syms from /usr/local/lib/libIlmImf-2_3.so.2.3.0
--56888-- Reading syms from /usr/local/lib/libIlmThread-2_3.so.2.3.0
--56888-- Reading syms from /usr/local/lib/libHalf-2_3.so.2.3.0
--56888-- Reading syms from /usr/lib/x86_64-linux-gnu/libpthread-2.27.so
--56888-- Considering /usr/lib/debug/.build-id/c1/969b6ac0e7a64f9cd88fdce8b584ccfc16623d.debug ..
--56888-- .. build-id is valid
--56888-- Reading syms from /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
--56888-- object doesn't have a symbol table
--56888-- Reading syms from /usr/local/lib/libImath-2_3.so.2.3.0
--56888-- Reading syms from /usr/local/lib/libIex-2_3.so.2.3.0
--56888-- Reading syms from /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
--56888-- object doesn't have a symbol table
--56888-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.27.so
--56888-- Considering /usr/lib/debug/.build-id/fa/b2857727406caccd7ab22e1729b09ccf2c3eb7.debug ..
--56888-- .. build-id is valid
--56888-- Reading syms from /usr/lib/x86_64-linux-gnu/libgcc_s.so.1
--56888-- object doesn't have a symbol table
--56888-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.27.so
--56888-- Considering /usr/lib/debug/.build-id/dc/87cd1e2b171a4c51139cb4e1f2ec630e711de3.debug ..
--56888-- .. build-id is valid
--56888-- REDIR: 0x5361050 (libc.so.6:memmove) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5360280 (libc.so.6:strncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5361330 (libc.so.6:strcasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x535fcd0 (libc.so.6:strcat) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53602b0 (libc.so.6:rindex) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5362900 (libc.so.6:rawmemchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53611c0 (libc.so.6:mempcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5360ff0 (libc.so.6:bcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5360240 (libc.so.6:strncmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x535fd40 (libc.so.6:strcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5361120 (libc.so.6:memset) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x537ab60 (libc.so.6:wcschr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53601e0 (libc.so.6:strnlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x535fdb0 (libc.so.6:strcspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5361380 (libc.so.6:strncasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x535fd80 (libc.so.6:strcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53614c0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53602e0 (libc.so.6:strpbrk) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x535fd00 (libc.so.6:index) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53601b0 (libc.so.6:strlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53671b0 (libc.so.6:memrchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53613d0 (libc.so.6:strcasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5360fc0 (libc.so.6:memchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x537b920 (libc.so.6:wcslen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5360590 (libc.so.6:strspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5361300 (libc.so.6:stpncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x53612d0 (libc.so.6:stpcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5362930 (libc.so.6:strchrnul) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5361420 (libc.so.6:strncasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--56888-- REDIR: 0x5433700 (libc.so.6:__strrchr_avx2) redirected to 0x48383e0 (rindex)
--56888-- REDIR: 0x535c5c0 (libc.so.6:malloc) redirected to 0x4835750 (malloc)
--56888-- REDIR: 0x54338d0 (libc.so.6:__strlen_avx2) redirected to 0x48389a0 (strlen)
--56888-- REDIR: 0x542fee0 (libc.so.6:__memcmp_avx2_movbe) redirected to 0x483bab0 (bcmp)
--56888-- REDIR: 0x540f0a0 (libc.so.6:__strcmp_ssse3) redirected to 0x4839a50 (strcmp)
--56888-- REDIR: 0x535d2a0 (libc.so.6:calloc) redirected to 0x4837720 (calloc)
generating preview image
--56888-- REDIR: 0x503af90 (libstdc++.so.6:operator new(unsigned long)) redirected to 0x4835dc0 (operator new(unsigned long))
--56888-- REDIR: 0x5422440 (libc.so.6:__strncpy_ssse3) redirected to 0x4838c60 (strncpy)
--56888-- REDIR: 0x5433e10 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483c390 (memmove)
--56888-- REDIR: 0x5360a70 (libc.so.6:__GI_strstr) redirected to 0x483d410 (__strstr_sse2)
--56888-- REDIR: 0x503b040 (libstdc++.so.6:operator new[](unsigned long)) redirected to 0x48364e0 (operator new[](unsigned long))
--56888-- REDIR: 0x542a850 (libc.so.6:__strncmp_sse42) redirected to 0x4839220 (__strncmp_sse42)
--56888-- REDIR: 0x5434290 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x483c280 (memset)
--56888-- REDIR: 0x5039220 (libstdc++.so.6:operator delete(void*)) redirected to 0x4836e80 (operator delete(void*))
--56888-- REDIR: 0x535df10 (libc.so.6:posix_memalign) redirected to 0x4837c10 (posix_memalign)
--56888-- REDIR: 0x535cc50 (libc.so.6:free) redirected to 0x4836980 (free)
==56888== Invalid read of size 2
==56888== at 0x402E91: generatePreview (makePreview.cpp:134)
==56888== by 0x402E91: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:158)
==56888== by 0x404F3C: main (main.cpp:185)
==56888== Address 0xfffff3800589b040 is not stack'd, malloc'd or (recently) free'd
==56888==
==56888==
==56888== Process terminating with default action of signal 11 (SIGSEGV)
==56888== Access not within mapped region at address 0xFFFFF3800589B040
==56888== at 0x402E91: generatePreview (makePreview.cpp:134)
==56888== by 0x402E91: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:158)
==56888== by 0x404F3C: main (main.cpp:185)
==56888== If you believe this happened as a result of a stack
==56888== overflow in your program's main thread (unlikely but
==56888== possible), you can try to increase the size of the
==56888== main thread stack using the --main-stacksize= flag.
==56888== The main thread stack size used in this run was 16777216.
==56888==
==56888== HEAP SUMMARY:
==56888== in use at exit: 5,390,930 bytes in 105 blocks
==56888== total heap usage: 234 allocs, 129 frees, 5,829,818 bytes allocated
==56888==
==56888== Searching for pointers to 105 not-freed blocks
==56888== Checked 5,485,480 bytes
==56888==
==56888== LEAK SUMMARY:
==56888== definitely lost: 0 bytes in 0 blocks
==56888== indirectly lost: 0 bytes in 0 blocks
==56888== possibly lost: 0 bytes in 0 blocks
==56888== still reachable: 5,390,930 bytes in 105 blocks
==56888== suppressed: 0 bytes in 0 blocks
==56888== Reachable blocks (those to which a pointer was found) are not shown.
==56888== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==56888==
==56888== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==56888==
==56888== 1 errors in context 1 of 1:
==56888== Invalid read of size 2
==56888== at 0x402E91: generatePreview (makePreview.cpp:134)
==56888== by 0x402E91: makePreview(char const*, char const*, int, float, bool) (makePreview.cpp:158)
==56888== by 0x404F3C: main (main.cpp:185)
==56888== Address 0xfffff3800589b040 is not stack'd, malloc'd or (recently) free'd
==56888==
==56888== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault
Attached the POC
poc.zip
Version
openexr-2.3
Found by:TAN JIE