Buffer overflow in cv::HdrDecoder::checkSignature

## System information (version)

OpenCV => 3.3.1
Operating System / Platform => Ubuntu 16.04
Compiler => clang++
Detailed description

## Detailed description

A buffer overflow occurs in function cv::HdrDecoder::checkSignature in file modules/imgcodecs/src/grfmt_hdr.cpp:106:.
The crash details as follows:
```
=================================================================
==12333==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x609000000ecc at pc 0x000001a5ef1f bp 0x7fff12ca2300 sp 0x7fff12ca1ab0
READ of size 10 at 0x609000000ecc thread T0
    #0 0x1a5ef1e in memcmp /home/opencv/fuzz/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:774
    #1 0x45a8e6 in cv::HdrDecoder::checkSignature(cv::String const&) const /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/grfmt_hdr.cpp:106:9
    #2 0x423bce in cv::findDecoder(cv::String const&) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:216:33
    #3 0x419023 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:402:19
    #4 0x418a80 in cv::imread(cv::String const&, int) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:638:5
    #5 0x413f25 in main /home/opencv/fuzz/target/opencv-3.3.1-test-crash/samples/cpp/example_cmake/example.cpp:54:11
    #6 0x7f8794948f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #7 0x4130c5 in _start (/home/opencv/verify+0x4130c5)

0x609000000ecc is located 0 bytes to the right of 12-byte region [0x609000000ec0,0x609000000ecc)
allocated by thread T0 here:
    #0 0x1a92c35 in __interceptor_posix_memalign /home/opencv/fuzz/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:157
    #1 0x6bb169 in cv::fastMalloc(unsigned long) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/core/src/alloc.cpp:64:8
    #2 0xb31682 in cv::String::allocate(unsigned long) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/core/src/stl.cpp:50:23
    #3 0x43ba2e in cv::String::substr(unsigned long, unsigned long) const /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/core/include/opencv2/core/cvstd.hpp:780:12
    #4 0x419023 in cv::imread_(cv::String const&, int, int, cv::Mat*) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:402:19
    #5 0x418a80 in cv::imread(cv::String const&, int) /home/opencv/fuzz/target/opencv-3.3.1-test-crash/modules/imgcodecs/src/loadsave.cpp:638:5
    #6 0x413f25 in main /home/opencv/fuzz/target/opencv-3.3.1-test-crash/samples/cpp/example_cmake/example.cpp:54:11
    #7 0x7f8794948f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/opencv/fuzz/libfuzzer-workshop/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:774 in memcmp
Shadow bytes around the buggy address:
  0x0c127fff8180: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8190: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff81a0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff81b0: fa fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
  0x0c127fff81c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fa fa fa
=>0x0c127fff81d0: fa fa fa fa fa fa fa fa 00[04]fa fa fa fa fa fa
  0x0c127fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c127fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12333==ABORTING
```

## Steps to reproduce

Please refer to the following url for the testcases:
https://github.com/Epeius/NBPOC/blob/master/poc_out_of_bound_read_01


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Buffer overflow in cv::HdrDecoder::checkSignature #10479

System information (version)

Detailed description

Steps to reproduce

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Buffer overflow in cv::HdrDecoder::checkSignature #10479

Description

System information (version)

Detailed description

Steps to reproduce

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions