Project

General

Profile

Bug #10961

automatic CA correction crashing

Added by Carlo Vaccari about 4 years ago. Updated over 3 years ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
Darkroom
Target version:
Start date:
03/22/2016
Due date:
% Done:

100%

Estimated time:
Affected Version:
git development version
System:
Ubuntu
bitness:
64-bit
hardware architecture:
amd64/x86

Description

On any raw file I've tried (Canon 5D Classic, Ricoh GR, Canon 70D, Sony a7R II), if I enable automatic CA correction, and zoom into the image one click at a time, at some zoom level (repeatable, depending on the photo size) the program crashes. Address sanitizer reports the following on line 1413 of cacorrect.c:

For example:

21123ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe79cad0340 at pc 0x7fe7c5a6f311 bp 0x7fe7c2c50220 sp 0x7fe7c2c50210
WRITE of size 4 at 0x7fe79cad0340 thread T33
#0 0x7fe7c5a6f310 in CA_correct._omp_fn.0 /home/carvac/dev/darktable/src/iop/cacorrect.c:1413
#1 0x7fe7ea23649d (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xf49d)
#2 0x7fe7f0a696a9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76a9)
#3 0x7fe7f079ee9c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106e9c)

0x7fe79cad0342 is located 0 bytes to the right of 51112770-byte region [0x7fe799a11800,0x7fe79cad0342)
allocated by thread T4 here:
#0 0x7fe7f14459aa in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x989aa)
#1 0x7fe7c5a7105c in CA_correct /home/carvac/dev/darktable/src/iop/cacorrect.c:349
#2 0x7fe7f0e89387 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:1681
#3 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#4 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#5 0x7fe7f0e84fa5 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:869
#6 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#7 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#8 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#9 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#10 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#11 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#12 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#13 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#14 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#15 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#16 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#17 0x7fe7f0e84fa5 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:869
#18 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#19 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#20 0x7fe7f0e84fa5 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:869
#21 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#22 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#23 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#24 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#25 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#26 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#27 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#28 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737
#29 0x7fe7f0e84781 in dt_dev_pixelpipe_process_rec /home/carvac/dev/darktable/src/develop/pixelpipe_hb.c:737

Thread T33 created by T4 here:
#0 0x7fe7f13e36a3 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x366a3)
#1 0x7fe7ea2369ff (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xf9ff)
#2 0x7fe7ea232ce9 in GOMP_parallel (/usr/lib/x86_64-linux-gnu/libgomp.so.1+0xbce9)
#3 0x3ed921823dcccccc (<unknown module>)

Thread T4 created by T0 here:
#0 0x7fe7f13e36a3 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x366a3)
#1 0x7fe7f0e47794 in dt_control_jobs_init /home/carvac/dev/darktable/src/control/jobs.c:567
#2 0x7fe7f0e3d76d in dt_control_init /home/carvac/dev/darktable/src/control/control.c:119
#3 0x7fe7f0d922f2 in dt_init /home/carvac/dev/darktable/src/common/darktable.c:930
#4 0x4008ef in main /home/carvac/dev/darktable/src/main.c:24
#5 0x7fe7f06b8a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/carvac/dev/darktable/src/iop/cacorrect.c:1413 CA_correct._omp_fn.0
Shadow bytes around the buggy address:
0x0ffd73952010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd73952020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd73952030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd73952040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd73952050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffd73952060: 00 00 00 00 00 00 00 0002fa fa fa fa fa fa fa
0x0ffd73952070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd73952080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd73952090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd739520a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ffd739520b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
21123ABORTING

Associated revisions

Revision 1a25877a (diff)
Added by Carlo Vaccari about 4 years ago

Fix heap buffer overflow

Code thanks to qogniw on the irc.
Resolves bug #10961:

http://redmine.darktable.org/issues/10961

Revision 19576fb1
Added by Roman Lebedev about 4 years ago

Merge pull request #1179 from CarVac/cacorrect_fix

Cacorrect: fix heap buffer overflow. Fixes #10961.

History

#1 Updated by Carlo Vaccari about 4 years ago

If line 349 of cacorrect.c is changed to

float *RawDataTmp = (float *)malloc(height * width * sizeof(float) / 2 + 4);

then it stops crashing.

#2 Updated by Roman Lebedev about 4 years ago

  • % Done changed from 0 to 100
  • Status changed from New to Fixed

#3 Updated by Roman Lebedev over 3 years ago

  • Target version set to 2.2.0

Also available in: Atom PDF

Go to top