*** This bug is a security vulnerability ***
Private security bug reported:
Hello,
Using hugin (2020.0.0) software verdandi adopting vigra, I encountered on the
segmentation fault error.
The root cause is assumed to be from
Illegal reference by void vigra::StandardValueAccessor<unsigned
short>::set<unsigned short, unsigned short*>(unsigned short, unsigned short*&).
of debian package
libvigraimpex-dev/focal,now 1.11.1+dfsg-7ubuntu1
The set() is assumed to be out-of-bound without any appropriate check of the
valid address dereferenced by scanline.
(src: /include/vigra/impex.hxx:82-89)
Vigra functions to the root cause are called starting from ResaveImage() in
verdandi.cpp:213.
I attach a proof-of-concept file for the sake of developers' testing.
Below is the running command and backtrace;
oren@ubuntu:~$ sudo ./hugin-2020.0.0/build/src/tools/verdandi --output=1.tif
./poc
Warning: no TIFFTAG_SAMPLEFORMAT or TIFFTAG_DATATYPE, guessing pixeltype
'UINT16'.
Warning: no TIFFTAG_SAMPLEFORMAT or TIFFTAG_DATATYPE, guessing pixeltype
'UINT16'.
LogLuvSetupDecode: Inappropriate photometric interpretation 32985 for SGILog
compression; must be either LogLUV or LogL.
ASAN:SIGSEGV
=================================================================
==100013==ERROR: AddressSanitizer: SEGV on unknown address 0x7fba4f4096f6 (pc
0x000000463ce6 bp 0x7fff40bb34e0 sp 0x7fff40bb33b0 T0)
#0 0x463ce5 in void vigra::StandardValueAccessor<unsigned
short>::set<unsigned short, unsigned short*>(unsigned short, unsigned short*&)
const /usr/include/vigra/accessor.hxx:234
#1 0x463ce5 in void vigra::detail::read_image_band<unsigned short,
vigra::BasicImageIterator<unsigned short, unsigned short**>,
vigra::StandardValueAccessor<unsigned short> >(vigra::Decoder*,
vigra::BasicImageIterator<unsigned short, unsigned short**>,
vigra::StandardValueAccessor<unsigned short>) /usr/include/vigra/impex.hxx:86
#2 0x463ce5 in void
vigra::detail::importImage<vigra::BasicImageIterator<unsigned short, unsigned
short**>, vigra::StandardValueAccessor<unsigned short> >(vigra::ImageImportInfo
const&, vigra::BasicImageIterator<unsigned short, unsigned short**>,
vigra::StandardValueAccessor<unsigned short>, vigra::VigraTrueType)
/usr/include/vigra/impex.hxx:212
#3 0x60ef6c in void vigra::importImage<vigra::BasicImageIterator<unsigned
short, unsigned short**>, vigra::StandardValueAccessor<unsigned short>
>(vigra::ImageImportInfo const&, vigra::BasicImageIterator<unsigned short,
unsigned short**>, vigra::StandardValueAccessor<unsigned short>)
/usr/include/vigra/impex.hxx:796
#4 0x60ef6c in void vigra::importImage<vigra::BasicImageIterator<unsigned
short, unsigned short**>, vigra::StandardValueAccessor<unsigned short>
>(vigra::ImageImportInfo const&, std::pair<vigra::BasicImageIterator<unsigned
short, unsigned short**>, vigra::StandardValueAccessor<unsigned short> >)
/usr/include/vigra/impex.hxx:807
#5 0x60ef6c in bool ResaveImage<vigra::BasicImage<unsigned short,
std::allocator<unsigned short> >, vigra::BasicImage<unsigned short,
std::allocator<unsigned short> > >(vigra::ImageImportInfo const&,
vigra::ImageExportInfo&) /home/oren/hugin-2020.0.0/src/tools/verdandi.cpp:213
#6 0x42154f in main /home/oren/hugin-2020.0.0/src/tools/verdandi.cpp:410
#7 0x7fba574c682f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x424878 in _start
(/home/oren/hugin-2020.0.0/build/src/tools/verdandi+0x424878)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/vigra/accessor.hxx:234 void
vigra::StandardValueAccessor<unsigned short>::set<unsigned short, unsigned
short*>(unsigned short, unsigned short*&) const
==100013==ABORTING
Version : hugin (2020.0.0)
OS : Ubuntu 20.04.1
library :
- libvigraimpex-dev/focal,now 1.11.1+dfsg-7ubuntu1 amd64
- libvigraimpex11/focal,now 1.11.1+dfsg-7ubuntu1 amd64
** Affects: hugin
Importance: Undecided
Status: New
** Attachment added: "poc.txt"
https://bugs.launchpad.net/bugs/1922039/+attachment/5482688/+files/poc.txt
--
You received this bug notification because you are a member of Hugin
Developers, which is subscribed to Hugin.
https://bugs.launchpad.net/bugs/1922039
Title:
Segmentation fault from Resaveimage() in verdandi
Status in Hugin:
New
Bug description:
Hello,
Using hugin (2020.0.0) software verdandi adopting vigra, I encountered on the
segmentation fault error.
The root cause is assumed to be from
Illegal reference by void vigra::StandardValueAccessor<unsigned
short>::set<unsigned short, unsigned short*>(unsigned short, unsigned short*&).
of debian package
libvigraimpex-dev/focal,now 1.11.1+dfsg-7ubuntu1
The set() is assumed to be out-of-bound without any appropriate check of the
valid address dereferenced by scanline.
(src: /include/vigra/impex.hxx:82-89)
Vigra functions to the root cause are called starting from ResaveImage() in
verdandi.cpp:213.
I attach a proof-of-concept file for the sake of developers' testing.
Below is the running command and backtrace;
oren@ubuntu:~$ sudo ./hugin-2020.0.0/build/src/tools/verdandi --output=1.tif
./poc
Warning: no TIFFTAG_SAMPLEFORMAT or TIFFTAG_DATATYPE, guessing pixeltype
'UINT16'.
Warning: no TIFFTAG_SAMPLEFORMAT or TIFFTAG_DATATYPE, guessing pixeltype
'UINT16'.
LogLuvSetupDecode: Inappropriate photometric interpretation 32985 for SGILog
compression; must be either LogLUV or LogL.
ASAN:SIGSEGV
=================================================================
==100013==ERROR: AddressSanitizer: SEGV on unknown address 0x7fba4f4096f6 (pc
0x000000463ce6 bp 0x7fff40bb34e0 sp 0x7fff40bb33b0 T0)
#0 0x463ce5 in void vigra::StandardValueAccessor<unsigned
short>::set<unsigned short, unsigned short*>(unsigned short, unsigned short*&)
const /usr/include/vigra/accessor.hxx:234
#1 0x463ce5 in void vigra::detail::read_image_band<unsigned short,
vigra::BasicImageIterator<unsigned short, unsigned short**>,
vigra::StandardValueAccessor<unsigned short> >(vigra::Decoder*,
vigra::BasicImageIterator<unsigned short, unsigned short**>,
vigra::StandardValueAccessor<unsigned short>) /usr/include/vigra/impex.hxx:86
#2 0x463ce5 in void
vigra::detail::importImage<vigra::BasicImageIterator<unsigned short, unsigned
short**>, vigra::StandardValueAccessor<unsigned short> >(vigra::ImageImportInfo
const&, vigra::BasicImageIterator<unsigned short, unsigned short**>,
vigra::StandardValueAccessor<unsigned short>, vigra::VigraTrueType)
/usr/include/vigra/impex.hxx:212
#3 0x60ef6c in void vigra::importImage<vigra::BasicImageIterator<unsigned
short, unsigned short**>, vigra::StandardValueAccessor<unsigned short>
>(vigra::ImageImportInfo const&, vigra::BasicImageIterator<unsigned short,
unsigned short**>, vigra::StandardValueAccessor<unsigned short>)
/usr/include/vigra/impex.hxx:796
#4 0x60ef6c in void vigra::importImage<vigra::BasicImageIterator<unsigned
short, unsigned short**>, vigra::StandardValueAccessor<unsigned short>
>(vigra::ImageImportInfo const&, std::pair<vigra::BasicImageIterator<unsigned
short, unsigned short**>, vigra::StandardValueAccessor<unsigned short> >)
/usr/include/vigra/impex.hxx:807
#5 0x60ef6c in bool ResaveImage<vigra::BasicImage<unsigned short,
std::allocator<unsigned short> >, vigra::BasicImage<unsigned short,
std::allocator<unsigned short> > >(vigra::ImageImportInfo const&,
vigra::ImageExportInfo&) /home/oren/hugin-2020.0.0/src/tools/verdandi.cpp:213
#6 0x42154f in main /home/oren/hugin-2020.0.0/src/tools/verdandi.cpp:410
#7 0x7fba574c682f in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x424878 in _start
(/home/oren/hugin-2020.0.0/build/src/tools/verdandi+0x424878)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/vigra/accessor.hxx:234 void
vigra::StandardValueAccessor<unsigned short>::set<unsigned short, unsigned
short*>(unsigned short, unsigned short*&) const
==100013==ABORTING
Version : hugin (2020.0.0)
OS : Ubuntu 20.04.1
library :
- libvigraimpex-dev/focal,now 1.11.1+dfsg-7ubuntu1 amd64
- libvigraimpex11/focal,now 1.11.1+dfsg-7ubuntu1 amd64
To manage notifications about this bug go to:
https://bugs.launchpad.net/hugin/+bug/1922039/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~hugin-devs
Post to : hugin-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~hugin-devs
More help : https://help.launchpad.net/ListHelp
