Project

General

Profile

Bug #11429

Mask overflow in _path_find_self_intersection()

Added by Roman Lebedev over 2 years ago. Updated over 2 years ago.

Status:
Fixed
Priority:
Low
Category:
Masks
Target version:
Start date:
01/04/2017
Due date:
% Done:

100%

Affected Version:
git master branch
System:
all
bitness:
64-bit
hardware architecture:
amd64/x86

Description

Try loading that sidecar with dt compiled with -fsanitize=address. (i used Canon EOS 7D Mark II raw)

I get:

=================================================================
==8387==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000161d00 at pc 0x7ff5aa540fcc bp 0x7ff590efdb20 sp 0x7ff590efdb18
WRITE of size 4 at 0x616000161d00 thread T3
    #0 0x7ff5aa540fcb in _path_find_self_intersection /home/lebedevri/darktable/src/develop/masks/path.c:465
    #1 0x7ff5aa540fcb in _path_get_points_border /home/lebedevri/darktable/src/develop/masks/path.c:671
    #2 0x7ff5aa55cce7 in dt_path_get_mask_roi /home/lebedevri/darktable/src/develop/masks/path.c:2499
    #3 0x7ff5aa55cce7 in dt_masks_get_mask_roi /home/lebedevri/darktable/src/develop/masks/masks.c:505
    #4 0x7ff5aa55ca2e in dt_group_get_mask_roi /home/lebedevri/darktable/src/develop/masks/group.c:540
    #5 0x7ff5aa55ca2e in dt_masks_get_mask_roi /home/lebedevri/darktable/src/develop/masks/masks.c:509
    #6 0x7ff5aa56126e in dt_masks_group_render_roi /home/lebedevri/darktable/src/develop/masks/group.c:679
    #7 0x7ff5aa4fa832 in dt_develop_blend_process /home/lebedevri/darktable/src/develop/blend.c:2607
    #8 0x7ff5aa4db670 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:1563
    #9 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #10 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #11 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #12 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #13 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #14 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #15 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #16 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #17 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #18 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #19 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #20 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #21 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #22 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #23 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #24 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #25 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #26 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #27 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #28 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #29 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #30 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #31 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #32 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #33 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #34 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #35 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #36 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #37 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #38 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #39 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #40 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #41 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #42 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #43 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #44 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #45 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #46 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #47 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #48 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #49 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #50 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #51 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #52 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #53 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #54 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #55 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #56 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #57 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #58 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #59 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #60 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #61 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #62 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #63 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #64 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #65 0x7ff5aa4e30d2 in dt_dev_pixelpipe_process_rec_and_backcopy /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:2187
    #66 0x7ff5aa4e30d2 in dt_dev_pixelpipe_process /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:2273
    #67 0x7ff5aa417ef3 in dt_imageio_export_with_flags /home/lebedevri/darktable/src/common/imageio.c:770
    #68 0x7ff5aa44b1d7 in _init_8 /home/lebedevri/darktable/src/common/mipmap_cache.c:1214
    #69 0x7ff5aa44b1d7 in dt_mipmap_cache_get_with_caller /home/lebedevri/darktable/src/common/mipmap_cache.c:795
    #70 0x7ff5aa49d145 in dt_image_load_job_run /home/lebedevri/darktable/src/control/jobs/image_jobs.c:35
    #71 0x7ff5aa48e563 in dt_control_job_execute /home/lebedevri/darktable/src/control/jobs.c:298
    #72 0x7ff5aa48f8d7 in dt_control_run_job /home/lebedevri/darktable/src/control/jobs.c:317
    #73 0x7ff5aa48f8d7 in dt_control_work /home/lebedevri/darktable/src/control/jobs.c:555
    #74 0x7ff5a2672463 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7463)
    #75 0x7ff5a23b39de in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe89de)

0x616000161d00 is located 0 bytes to the right of 640-byte region [0x616000161a80,0x616000161d00)
allocated by thread T3 here:
    #0 0x7ff5aa93cd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7ff5aa53a940 in _path_get_points_border /home/lebedevri/darktable/src/develop/masks/path.c:667
    #2 0x7ff5aa55cce7 in dt_path_get_mask_roi /home/lebedevri/darktable/src/develop/masks/path.c:2499
    #3 0x7ff5aa55cce7 in dt_masks_get_mask_roi /home/lebedevri/darktable/src/develop/masks/masks.c:505
    #4 0x7ff5aa55ca2e in dt_group_get_mask_roi /home/lebedevri/darktable/src/develop/masks/group.c:540
    #5 0x7ff5aa55ca2e in dt_masks_get_mask_roi /home/lebedevri/darktable/src/develop/masks/masks.c:509
    #6 0x7ff5aa56126e in dt_masks_group_render_roi /home/lebedevri/darktable/src/develop/masks/group.c:679
    #7 0x7ff5aa4fa832 in dt_develop_blend_process /home/lebedevri/darktable/src/develop/blend.c:2607
    #8 0x7ff5aa4db670 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:1563
    #9 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #10 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #11 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #12 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #13 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #14 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #15 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #16 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #17 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #18 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #19 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #20 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #21 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #22 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #23 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #24 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #25 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #26 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #27 0x7ff5aa4d7087 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:701
    #28 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #29 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #30 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582
    #31 0x7ff5aa4d60e7 in dt_dev_pixelpipe_process_rec /home/lebedevri/darktable/src/develop/pixelpipe_hb.c:582

Thread T3 created by T0 here:
    #0 0x7ff5aa8abf59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
    #1 0x7ff5aa3ccffd in dt_pthread_create /home/lebedevri/darktable/src/common/dtpthread.c:63
    #2 0x7ff5aa48fe1a in dt_control_jobs_init /home/lebedevri/darktable/src/control/jobs.c:611
    #3 0x7ff5aa484fcd in dt_control_init /home/lebedevri/darktable/src/control/control.c:119
    #4 0x7ff5aa3bf494 in dt_init /home/lebedevri/darktable/src/common/darktable.c:827
    #5 0x5594e8c86d55 in main /home/lebedevri/darktable/src/main.c:24
    #6 0x7ff5a22eb2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/lebedevri/darktable/src/develop/masks/path.c:465 in _path_find_self_intersection
Shadow bytes around the buggy address:
  0x0c2c80024350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80024360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80024370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80024380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c80024390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c800243a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800243b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800243c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800243d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800243e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c800243f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8387==ABORTING

Following patch fixes the issue, but i have zero clues about the code, so i'll just leave it here:

diff --git a/src/develop/masks/path.c b/src/develop/masks/path.c                                                                                                                                                       
index 42354f65b..6e036cb58 100644
--- a/src/develop/masks/path.c
+++ b/src/develop/masks/path.c
@@ -659,17 +659,17 @@ static int _path_get_points_border(dt_develop_t *dev, dt_masks_form_t *form, int
   }

   if(darktable.unmuted & DT_DEBUG_PERF)
     dt_print(DT_DEBUG_MASKS, "[masks %s] path_points point recurs %0.04f sec\n", form->name,
              dt_get_wtime() - start2);
   start2 = dt_get_wtime();

   // we don't want the border to self-intersect
-  int *intersections = malloc((size_t)8 * nb * sizeof(int));
+  int *intersections = malloc((size_t)10 * nb * sizeof(int));
   int inter_count = 0;
   if(border)
   {
     inter_count = _path_find_self_intersection(intersections, nb, *border, *border_count);

     if(darktable.unmuted & DT_DEBUG_PERF)
       dt_print(DT_DEBUG_MASKS, "[masks %s] path_points self-intersect took %0.04f sec\n", form->name,
                dt_get_wtime() - start2);

216E401.CR2.xmp (8.14 KB) Roman Lebedev, 01/04/2017 04:01 PM

History

#1 Updated by Ulrich Pegelow over 2 years ago

  • % Done changed from 0 to 20
  • Status changed from New to Triaged

#2 Updated by Roman Lebedev over 2 years ago

  • % Done changed from 20 to 100
  • Status changed from Triaged to Fixed

#3 Updated by Roman Lebedev over 2 years ago

  • Target version set to 2.4.0

Also available in: Atom PDF