Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]heap-buffer-overflow at src/include/OpenImageIO/detail/farmhash.h in OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*) in openimageio #4550

Open
Frank-Z7 opened this issue Dec 2, 2024 · 0 comments
Open

[BUG]heap-buffer-overflow at src/include/OpenImageIO/detail/farmhash.h in OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*) in openimageio #4550

Frank-Z7 opened this issue Dec 2, 2024 · 0 comments

Comments

@Frank-Z7
Copy link

Frank-Z7 commented Dec 2, 2024

Description

Dear developers,

We discovered a heap overflow bug in src/include/OpenImageIO/detail/farmhash.h while fuzzing iconvert and oiiotool.

The latest version also has this vulnerability.

Version

# ./bin/oiiotool --version
3.1.0.0dev

# ./bin/iconvert -v
iconvert: Must have both an input and output filename specified.
iconvert -- copy images with format conversions and other alterations
OpenImageIO 3.1.0.0dev http://www.openimageio.org

PoC

poc1iconvert: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1iconvert

poc1oiio: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc1oiio

Reproduction

git clone https://github.com/AcademySoftwareFoundation/OpenImageIO.git openimageio
cd openimageio
mkdir build1
cd build1
CFLAGS="-g3 -fsanitize=address -O0 -fno-omit-frame-pointer" CXXFLAGS="-g3 -fsanitize=address -O0 -fno-omit-frame-pointer" LDFLAGS="-fsanitize=address" cmake .. -DCMAKE_CXX_STANDARD=17 -DOpenImageIO_BUILD_MISSING_DEPS=all
make -j20

./bin/iconvert -g 1.5 --rotcw poc1iconvert tmp.png
#OR
./bin/oiiotool -i poc1oiio --autoorient -o tmp4.jpg

Address Sanitizer log

# ./bin/iconvert -g 1.5 --rotcw poc1iconvert tmp.png
=================================================================
==656651==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000015cc8 at pc 0x7f3afa3c0fdd bp 0x7ffc53979250 sp 0x7ffc53979240
READ of size 8 at 0x61f000015cc8 thread T0
    #0 0x7f3afa3c0fdc in OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*) /openimageio/src/include/OpenImageIO/detail/farmhash.h:291
    #1 0x7f3afa3c0fdc in OpenImageIO_v3_1_0::farmhash::farmhashuo::Hash64WithSeeds(char const*, unsigned long, unsigned long, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:791
    #2 0x7f3afa5c6c1c in OpenImageIO_v3_1_0::farmhash::farmhashuo::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:861
    #3 0x7f3afa5c6c1c in OpenImageIO_v3_1_0::farmhash::farmhashxo::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:917
    #4 0x7f3afa5c6c1c in OpenImageIO_v3_1_0::farmhash::farmhashxo::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:903
    #5 0x7f3afa5c6c1c in OpenImageIO_v3_1_0::farmhash::inlined::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:2084
    #6 0x7f3afa5c6c1c in OpenImageIO_v3_1_0::Strutil::strhash64(unsigned long, char const*) /openimageio/src/include/OpenImageIO/strutil.h:377
    #7 0x7f3afa5c6c1c in OpenImageIO_v3_1_0::Strutil::strhash64(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/include/OpenImageIO/strutil.h:399
    #8 0x7f3afa5c6c1c in OpenImageIO_v3_1_0::ustring::make_unique(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libutil/ustring.cpp:462
    #9 0x7f3afb552653 in OpenImageIO_v3_1_0::ustring::ustring(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/include/OpenImageIO/ustring.h:156
    #10 0x7f3afb552653 in OpenImageIO_v3_1_0::ParamValue::ParamValue(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/include/OpenImageIO/paramlist.h:130
    #11 0x7f3afb552653 in void __gnu_cxx::new_allocator<OpenImageIO_v3_1_0::ParamValue>::construct<OpenImageIO_v3_1_0::ParamValue, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&>(OpenImageIO_v3_1_0::ParamValue*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&) /usr/include/c++/11/ext/new_allocator.h:162
    #12 0x7f3afb552653 in void std::allocator_traits<std::allocator<OpenImageIO_v3_1_0::ParamValue> >::construct<OpenImageIO_v3_1_0::ParamValue, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&>(std::allocator<OpenImageIO_v3_1_0::ParamValue>&, OpenImageIO_v3_1_0::ParamValue*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&) /usr/include/c++/11/bits/alloc_traits.h:516
    #13 0x7f3afb552653 in OpenImageIO_v3_1_0::ParamValue& std::vector<OpenImageIO_v3_1_0::ParamValue, std::allocator<OpenImageIO_v3_1_0::ParamValue> >::emplace_back<OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&>(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&) /usr/include/c++/11/bits/vector.tcc:115
    #14 0x7f3afb552653 in OpenImageIO_v3_1_0::ImageSpec::attribute(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libOpenImageIO/formatspec.cpp:362
    #15 0x7f3afb612613 in OpenImageIO_v3_1_0::decode_icc_profile(OpenImageIO_v3_1_0::span<unsigned char const, 18446744073709551615ul>, OpenImageIO_v3_1_0::ImageSpec&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /openimageio/src/libOpenImageIO/icc.cpp:322
    #16 0x7f3afbd197eb in OpenImageIO_v3_1_0::JpgInput::read_icc_profile(jpeg_decompress_struct*, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:438
    #17 0x7f3afbd21fd3 in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:363
    #18 0x7f3afbd2644c in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&, OpenImageIO_v3_1_0::ImageSpec const&) /openimageio/src/jpeg.imageio/jpeginput.cpp:162
    #19 0x7f3afb822740 in OpenImageIO_v3_1_0::ImageInput::create(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, bool, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libOpenImageIO/imageioplugin.cpp:746
    #20 0x7f3afb79e1d4 in OpenImageIO_v3_1_0::ImageInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*) /openimageio/src/libOpenImageIO/imageinput.cpp:154
    #21 0x55fdae61997e in convert_file /openimageio/src/iconvert/iconvert.cpp:333
    #22 0x55fdae60880d in main /openimageio/src/iconvert/iconvert.cpp:525
    #23 0x7f3af9d8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #24 0x7f3af9d8ee3f in __libc_start_main_impl ../csu/libc-start.c:392
    #25 0x55fdae6094b4 in _start (/openimageio/build1/bin/iconvert+0xc4b4)

0x61f000015cc8 is located 0 bytes to the right of 3144-byte region [0x61f000015080,0x61f000015cc8)
allocated by thread T0 here:
    #0 0x7f3afe40f1e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7f3afb8573f7 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/11/ext/new_allocator.h:127
    #2 0x7f3afb8573f7 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/11/bits/alloc_traits.h:464
    #3 0x7f3afb8573f7 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/11/bits/stl_vector.h:346
    #4 0x7f3afb8573f7 in std::vector<unsigned char, std::allocator<unsigned char> >::_M_default_append(unsigned long) /usr/include/c++/11/bits/vector.tcc:635
    #5 0x7f3afbd19878 in std::vector<unsigned char, std::allocator<unsigned char> >::resize(unsigned long) /usr/include/c++/11/bits/stl_vector.h:940
    #6 0x7f3afbd19878 in OpenImageIO_v3_1_0::JpgInput::read_icc_profile(jpeg_decompress_struct*, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:423
    #7 0x7f3afbd21fd3 in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:363
    #8 0x7f3afbd2644c in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&, OpenImageIO_v3_1_0::ImageSpec const&) /openimageio/src/jpeg.imageio/jpeginput.cpp:162
    #9 0x7f3afb822740 in OpenImageIO_v3_1_0::ImageInput::create(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, bool, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libOpenImageIO/imageioplugin.cpp:746
    #10 0x7f3afb79e1d4 in OpenImageIO_v3_1_0::ImageInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*) /openimageio/src/libOpenImageIO/imageinput.cpp:154
    #11 0x55fdae61997e in convert_file /openimageio/src/iconvert/iconvert.cpp:333
    #12 0x55fdae60880d in main /openimageio/src/iconvert/iconvert.cpp:525
    #13 0x7f3af9d8ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /openimageio/src/include/OpenImageIO/detail/farmhash.h:291 in OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*)
Shadow bytes around the buggy address:
  0x0c3e7fffab40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fffab50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fffab60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fffab70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fffab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fffab90: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
  0x0c3e7fffaba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fffabb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fffabc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fffabd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fffabe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==656651==ABORTING


#./bin/oiiotool -i poc1oiio --autoorient -o tmp4.jpg
=================================================================
==656739==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000006ec8 at pc 0x7fade14affd3 bp 0x7ffe33f034a0 sp 0x7ffe33f03490
READ of size 8 at 0x61f000006ec8 thread T0
    #0 0x7fade14affd2 in OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*) /openimageio/src/include/OpenImageIO/detail/farmhash.h:291
    #1 0x7fade14affd2 in OpenImageIO_v3_1_0::farmhash::farmhashuo::Hash64WithSeeds(char const*, unsigned long, unsigned long, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:792
    #2 0x7fade16b5c1c in OpenImageIO_v3_1_0::farmhash::farmhashuo::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:861
    #3 0x7fade16b5c1c in OpenImageIO_v3_1_0::farmhash::farmhashxo::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:917
    #4 0x7fade16b5c1c in OpenImageIO_v3_1_0::farmhash::farmhashxo::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:903
    #5 0x7fade16b5c1c in OpenImageIO_v3_1_0::farmhash::inlined::Hash64(char const*, unsigned long) /openimageio/src/include/OpenImageIO/detail/farmhash.h:2084
    #6 0x7fade16b5c1c in OpenImageIO_v3_1_0::Strutil::strhash64(unsigned long, char const*) /openimageio/src/include/OpenImageIO/strutil.h:377
    #7 0x7fade16b5c1c in OpenImageIO_v3_1_0::Strutil::strhash64(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/include/OpenImageIO/strutil.h:399
    #8 0x7fade16b5c1c in OpenImageIO_v3_1_0::ustring::make_unique(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libutil/ustring.cpp:462
    #9 0x7fade2641653 in OpenImageIO_v3_1_0::ustring::ustring(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/include/OpenImageIO/ustring.h:156
    #10 0x7fade2641653 in OpenImageIO_v3_1_0::ParamValue::ParamValue(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/include/OpenImageIO/paramlist.h:130
    #11 0x7fade2641653 in void __gnu_cxx::new_allocator<OpenImageIO_v3_1_0::ParamValue>::construct<OpenImageIO_v3_1_0::ParamValue, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&>(OpenImageIO_v3_1_0::ParamValue*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&) /usr/include/c++/11/ext/new_allocator.h:162
    #12 0x7fade2641653 in void std::allocator_traits<std::allocator<OpenImageIO_v3_1_0::ParamValue> >::construct<OpenImageIO_v3_1_0::ParamValue, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&>(std::allocator<OpenImageIO_v3_1_0::ParamValue>&, OpenImageIO_v3_1_0::ParamValue*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&) /usr/include/c++/11/bits/alloc_traits.h:516
    #13 0x7fade2641653 in OpenImageIO_v3_1_0::ParamValue& std::vector<OpenImageIO_v3_1_0::ParamValue, std::allocator<OpenImageIO_v3_1_0::ParamValue> >::emplace_back<OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&>(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >&) /usr/include/c++/11/bits/vector.tcc:115
    #14 0x7fade2641653 in OpenImageIO_v3_1_0::ImageSpec::attribute(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libOpenImageIO/formatspec.cpp:362
    #15 0x7fade2701a86 in OpenImageIO_v3_1_0::decode_icc_profile(OpenImageIO_v3_1_0::span<unsigned char const, 18446744073709551615ul>, OpenImageIO_v3_1_0::ImageSpec&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&) /openimageio/src/libOpenImageIO/icc.cpp:329
    #16 0x7fade2e087eb in OpenImageIO_v3_1_0::JpgInput::read_icc_profile(jpeg_decompress_struct*, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:438
    #17 0x7fade2e10fd3 in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:363
    #18 0x7fade2e1544c in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&, OpenImageIO_v3_1_0::ImageSpec const&) /openimageio/src/jpeg.imageio/jpeginput.cpp:162
    #19 0x7fade2911740 in OpenImageIO_v3_1_0::ImageInput::create(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, bool, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libOpenImageIO/imageioplugin.cpp:746
    #20 0x7fade2bd24bb in OpenImageIO_v3_1_0::ImageCacheFile::open(OpenImageIO_v3_1_0::ImageCachePerThreadInfo*) /openimageio/src/libtexture/imagecache.cpp:509
    #21 0x7fade2be5b5b in OpenImageIO_v3_1_0::ImageCacheImpl::verify_file(OpenImageIO_v3_1_0::ImageCacheFile*, OpenImageIO_v3_1_0::ImageCachePerThreadInfo*, bool) /openimageio/src/libtexture/imagecache.cpp:1341
    #22 0x7fade2c07770 in OpenImageIO_v3_1_0::ImageCacheImpl::get_image_info(OpenImageIO_v3_1_0::ImageCacheFile*, OpenImageIO_v3_1_0::ImageCachePerThreadInfo*, int, int, OpenImageIO_v3_1_0::ustring, OpenImageIO_v3_1_0::TypeDesc, void*) /openimageio/src/libtexture/imagecache.cpp:2760
    #23 0x7fade2c0ecad in OpenImageIO_v3_1_0::ImageCacheImpl::get_image_info(OpenImageIO_v3_1_0::ustring, int, int, OpenImageIO_v3_1_0::ustring, OpenImageIO_v3_1_0::TypeDesc, void*) /openimageio/src/libtexture/imagecache.cpp:2738
    #24 0x7fade2c0ecad in OpenImageIO_v3_1_0::ImageCache::get_image_info(OpenImageIO_v3_1_0::ustring, int, int, OpenImageIO_v3_1_0::ustring, OpenImageIO_v3_1_0::TypeDesc, void*) /openimageio/src/libtexture/imagecache.cpp:4261
    #25 0x563dbe959651 in input_file /openimageio/src/oiiotool/oiiotool.cpp:5113
    #26 0x563dbea0ff93 in std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>::operator()(OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>) const /usr/include/c++/11/bits/std_function.h:590
    #27 0x563dbea0ff93 in OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}::operator()(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>) const /openimageio/src/include/OpenImageIO/argparse.h:536
    #28 0x563dbea0ff93 in void std::__invoke_impl<void, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul> >(std::__invoke_other, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>&&) /usr/include/c++/11/bits/invoke.h:61
    #29 0x563dbea0ff93 in std::enable_if<is_invocable_r_v<void, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul> >, void>::type std::__invoke_r<void, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul> >(OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>&&) /usr/include/c++/11/bits/invoke.h:111
    #30 0x563dbea0ff93 in std::_Function_handler<void (OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>), OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}>::_M_invoke(std::_Any_data const&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>&&) /usr/include/c++/11/bits/std_function.h:290
    #31 0x7fade141b84f in std::function<void (OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>::operator()(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>) const /usr/include/c++/11/bits/std_function.h:590
    #32 0x7fade141b84f in OpenImageIO_v3_1_0::ArgParse::Impl::parse_args(int, char const**) /openimageio/src/libutil/argparse.cpp:535
    #33 0x7fade141e2db in OpenImageIO_v3_1_0::ArgParse::parse_args(int, char const**) /openimageio/src/libutil/argparse.cpp:429
    #34 0x563dbea0101b in OpenImageIO_v3_1_0::OiioTool::Oiiotool::getargs(int, char**) /openimageio/src/oiiotool/oiiotool.cpp:6979
    #35 0x563dbe7865a1 in main /openimageio/src/oiiotool/oiiotool.cpp:7338
    #36 0x7fade0e7dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #37 0x7fade0e7de3f in __libc_start_main_impl ../csu/libc-start.c:392
    #38 0x563dbe78bb34 in _start (/openimageio/build1/bin/oiiotool+0x89b34)

0x61f000006ec8 is located 0 bytes to the right of 3144-byte region [0x61f000006280,0x61f000006ec8)
allocated by thread T0 here:
    #0 0x7fade54fe1e7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
    #1 0x7fade29463f7 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/11/ext/new_allocator.h:127
    #2 0x7fade29463f7 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/11/bits/alloc_traits.h:464
    #3 0x7fade29463f7 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/11/bits/stl_vector.h:346
    #4 0x7fade29463f7 in std::vector<unsigned char, std::allocator<unsigned char> >::_M_default_append(unsigned long) /usr/include/c++/11/bits/vector.tcc:635
    #5 0x7fade2e08878 in std::vector<unsigned char, std::allocator<unsigned char> >::resize(unsigned long) /usr/include/c++/11/bits/stl_vector.h:940
    #6 0x7fade2e08878 in OpenImageIO_v3_1_0::JpgInput::read_icc_profile(jpeg_decompress_struct*, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:423
    #7 0x7fade2e10fd3 in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&) /openimageio/src/jpeg.imageio/jpeginput.cpp:363
    #8 0x7fade2e1544c in OpenImageIO_v3_1_0::JpgInput::open(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, OpenImageIO_v3_1_0::ImageSpec&, OpenImageIO_v3_1_0::ImageSpec const&) /openimageio/src/jpeg.imageio/jpeginput.cpp:162
    #9 0x7fade2911740 in OpenImageIO_v3_1_0::ImageInput::create(OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >, bool, OpenImageIO_v3_1_0::ImageSpec const*, OpenImageIO_v3_1_0::Filesystem::IOProxy*, OpenImageIO_v3_1_0::basic_string_view<char, std::char_traits<char> >) /openimageio/src/libOpenImageIO/imageioplugin.cpp:746
    #10 0x7fade2bd24bb in OpenImageIO_v3_1_0::ImageCacheFile::open(OpenImageIO_v3_1_0::ImageCachePerThreadInfo*) /openimageio/src/libtexture/imagecache.cpp:509
    #11 0x7fade2be5b5b in OpenImageIO_v3_1_0::ImageCacheImpl::verify_file(OpenImageIO_v3_1_0::ImageCacheFile*, OpenImageIO_v3_1_0::ImageCachePerThreadInfo*, bool) /openimageio/src/libtexture/imagecache.cpp:1341
    #12 0x7fade2c07770 in OpenImageIO_v3_1_0::ImageCacheImpl::get_image_info(OpenImageIO_v3_1_0::ImageCacheFile*, OpenImageIO_v3_1_0::ImageCachePerThreadInfo*, int, int, OpenImageIO_v3_1_0::ustring, OpenImageIO_v3_1_0::TypeDesc, void*) /openimageio/src/libtexture/imagecache.cpp:2760
    #13 0x7fade2c0ecad in OpenImageIO_v3_1_0::ImageCacheImpl::get_image_info(OpenImageIO_v3_1_0::ustring, int, int, OpenImageIO_v3_1_0::ustring, OpenImageIO_v3_1_0::TypeDesc, void*) /openimageio/src/libtexture/imagecache.cpp:2738
    #14 0x7fade2c0ecad in OpenImageIO_v3_1_0::ImageCache::get_image_info(OpenImageIO_v3_1_0::ustring, int, int, OpenImageIO_v3_1_0::ustring, OpenImageIO_v3_1_0::TypeDesc, void*) /openimageio/src/libtexture/imagecache.cpp:4261
    #15 0x563dbe959651 in input_file /openimageio/src/oiiotool/oiiotool.cpp:5113
    #16 0x563dbea0ff93 in std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>::operator()(OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>) const /usr/include/c++/11/bits/std_function.h:590
    #17 0x563dbea0ff93 in OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}::operator()(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>) const /openimageio/src/include/OpenImageIO/argparse.h:536
    #18 0x563dbea0ff93 in void std::__invoke_impl<void, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul> >(std::__invoke_other, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>&&) /usr/include/c++/11/bits/invoke.h:61
    #19 0x563dbea0ff93 in std::enable_if<is_invocable_r_v<void, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul> >, void>::type std::__invoke_r<void, OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul> >(OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>&&) /usr/include/c++/11/bits/invoke.h:111
    #20 0x563dbea0ff93 in std::_Function_handler<void (OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>), OpenImageIO_v3_1_0::ArgParse::Arg::action(std::function<void (OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>&&)::{lambda(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)#1}>::_M_invoke(std::_Any_data const&, OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>&&) /usr/include/c++/11/bits/std_function.h:290
    #21 0x7fade141b84f in std::function<void (OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>)>::operator()(OpenImageIO_v3_1_0::ArgParse::Arg&, OpenImageIO_v3_1_0::span<char const* const, 18446744073709551615ul>) const /usr/include/c++/11/bits/std_function.h:590
    #22 0x7fade141b84f in OpenImageIO_v3_1_0::ArgParse::Impl::parse_args(int, char const**) /openimageio/src/libutil/argparse.cpp:535
    #23 0x7fade141e2db in OpenImageIO_v3_1_0::ArgParse::parse_args(int, char const**) /openimageio/src/libutil/argparse.cpp:429
    #24 0x563dbea0101b in OpenImageIO_v3_1_0::OiioTool::Oiiotool::getargs(int, char**) /openimageio/src/oiiotool/oiiotool.cpp:6979
    #25 0x563dbe7865a1 in main /openimageio/src/oiiotool/oiiotool.cpp:7338
    #26 0x7fade0e7dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /openimageio/src/include/OpenImageIO/detail/farmhash.h:291 in OpenImageIO_v3_1_0::farmhash::inlined::Fetch64(char const*)
Shadow bytes around the buggy address:
  0x0c3e7fff8d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3e7fff8dd0: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
  0x0c3e7fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3e7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3e7fff8e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==656739==ABORTING

Environment

ubuntu:22.04
gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
clang version 14.0.0-1ubuntu1.1
afl-fuzz++4.22a

Thanks for your time!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Frank-Z7