New issue
Advanced search Search tips

Issue 746996 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Aug 2017
Cc:
dalecur...@chromium.org
wolenetz@chromium.org
infe...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug-Security



Sign in to add a comment

OpenCV heap-buffer-overflow

Reported by scdengy...@gmail.com, Jul 20 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce the problem:
cv::imread("poc.pxm") trigger the heap buffer overflow
all versions of OpenCV is affected

What is the expected behavior?
OpenCV is widely used, I found some reference in chromium and AOSP, so I wonder if I can report this issue here.
https://cs.chromium.org/chromium/src/third_party/ffmpeg/libavfilter/vf_libopencv.c?q=opencv&sq=package:chromium&dr=C&l=23
https://android.googlesource.com/platform/external/opencv3/

What went wrong?
Root cause:
195:
    int  bit_depth = CV_ELEM_SIZE1(m_type)*8;
    int  src_pitch = (m_width*m_bpp*bit_depth/8 + 7)/8;
204:
    AutoBuffer<uchar> _src(src_pitch + 32);
    uchar* src = _src;
233:
                    for( x = 0; x < m_width; x++ )
                        src[x] = ReadNumber( m_strm, 1 ) != 0;

In my poc, the m_width is about 8x bigger than src_pitch, which cause the _src buffer overflowed
(gdb) p m_width
$2 = 0x54c5638
(gdb) p src_pitch
$3 = 0xa98ac7

Did this work before? N/A 

Chrome version: 59.0.3071.115  Channel: stable
OS Version: OS X 10.12.5
Flash Version: Shockwave Flash 26.0 r0
poc.pxm
13 bytes Download
dump.txt
4.0 KB View Download

Comment 1 by scdengy...@gmail.com, Jul 20 2017 

before 3.0, this is in modules/highgui/src/grfmt_pxm.cpp
later moved to modules/imgcodecs/src/grfmt_pxm.cpp

Comment 2 by kerrnel@chromium.org, Jul 20 2017

Labels: Needs-Feedback
I don't see a file called grfmt_pxm.cpp anywhere in the Chromium source code, and that backtrace doesn't appear to come from Chromium. Is this vulnerability being reported against code that's built and run in Chromium?

Comment 3 by vakh@chromium.org, Jul 28 2017

Cc: infe...@chromium.org
inferno@ -- any guidance on this issue?

Comment 4 by elawrence@chromium.org, Aug 8 2017

Components: Internals>Media>FFmpeg

Comment 5 by tsepez@chromium.org, Aug 8 2017 

I would suggest reporting the vulnerability upstream to the ffmpeg project itself.  It's unclear if this patch can be reached via chromium.

Comment 6 by kenrb@chromium.org, Aug 8 2017

Cc: wolenetz@chromium.org dalecur...@chromium.org
Explicitly adding some ffmpeg owners...

Is anyone able to confirm that OpenCV code is not built as part of Chromium?

Comment 7 by wolenetz@chromium.org, Aug 8 2017 

That particular file (from OP: //third_party/ffmpeg/libavfilter/vf_libopencv.c) is not in the current set of source "C" files used to build Chrom* (see https://cs.chromium.org/chromium/src/third_party/ffmpeg/ffmpeg_generated.gni?q=ffmpeg_generated.gni&sq=package:chromium&l=1). In fact, none of //third_party/ffmpeg/libavfilter is included currently.

I'm not sure that this absolutely means Chrome *doesn't ever* use OpenCV; I'm just providing a datapoint.

Comment 8 by dalecur...@chromium.org, Aug 8 2017

Status: WontFix (was: Unconfirmed)
Chrome doesn't use any libavfilter functionality.
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 15 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment