Bug 1113455 (CVE-2018-18444)

Summary:	VUL-1: CVE-2018-18444: OpenEXR,openexr: Out-of-bounds write in makeMultiView.cpp
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Karol Babioch <karol>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P4 - Low	CC:	meissner, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/217542/
Whiteboard:	CVSSv2:NVD:CVE-2018-18444:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2018-18444:8.8:(AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2018-18444:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:SUSE:CVE-2018-18444:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Karol Babioch 2018-10-26 07:42:21 UTC

makeMultiView.cpp in exrmultiview in OpenEXR 2.3.0 has an out-of-bounds write,
leading to an assertion failure or possibly unspecified other impact.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1643094
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-18444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18444
https://github.com/openexr/openexr/issues/351

Comment 1 Petr Gajdos 2018-11-06 15:59:30 UTC

TW/openexr

$ valgrind -q exrmultiview left poc right AllHalfValues.exr 12.exr
==32717== Invalid write of size 8
==32717==    at 0x4036F54: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x118912: TypedImageChannel<half>::black() (Image.h:230)
==32717==    by 0x119046: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==32717==    by 0x113D37: main (main.cpp:251)
==32717==  Address 0x5ab2c50 is 0 bytes after a block of size 16,000 alloc'd
==32717==    at 0x403150F: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x11764B: Imf_2_3::Array2D<half>::resizeEraseUnsafe(long, long) (ImfArray.h:277)
==32717==    by 0x116AB7: TypedImageChannel<half>::resize() (Image.h:222)
==32717==    by 0x1163E9: TypedImageChannel<half>::TypedImageChannel(Image&, int, int) (Image.h:162)
==32717==    by 0x115AF7: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_3::Channel const&) (Image.cpp:100)
==32717==    by 0x11901E: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:141)
==32717==    by 0x113D37: main (main.cpp:251)
==32717== 
==32717== Invalid write of size 8
==32717==    at 0x4036F57: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x118912: TypedImageChannel<half>::black() (Image.h:230)
==32717==    by 0x119046: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==32717==    by 0x113D37: main (main.cpp:251)
==32717==  Address 0x5ab2c58 is 8 bytes after a block of size 16,000 alloc'd
==32717==    at 0x403150F: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x11764B: Imf_2_3::Array2D<half>::resizeEraseUnsafe(long, long) (ImfArray.h:277)
==32717==    by 0x116AB7: TypedImageChannel<half>::resize() (Image.h:222)
==32717==    by 0x1163E9: TypedImageChannel<half>::TypedImageChannel(Image&, int, int) (Image.h:162)
==32717==    by 0x115AF7: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_3::Channel const&) (Image.cpp:100)
==32717==    by 0x11901E: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:141)
==32717==    by 0x113D37: main (main.cpp:251)
==32717== 
==32717== Invalid write of size 8
==32717==    at 0x4036F5B: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x118912: TypedImageChannel<half>::black() (Image.h:230)
==32717==    by 0x119046: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==32717==    by 0x113D37: main (main.cpp:251)
==32717==  Address 0x5ab2c60 is 16 bytes after a block of size 16,000 alloc'd
==32717==    at 0x403150F: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x11764B: Imf_2_3::Array2D<half>::resizeEraseUnsafe(long, long) (ImfArray.h:277)
==32717==    by 0x116AB7: TypedImageChannel<half>::resize() (Image.h:222)
==32717==    by 0x1163E9: TypedImageChannel<half>::TypedImageChannel(Image&, int, int) (Image.h:162)
==32717==    by 0x115AF7: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_3::Channel const&) (Image.cpp:100)
==32717==    by 0x11901E: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:141)
==32717==    by 0x113D37: main (main.cpp:251)
==32717== 
==32717== Invalid write of size 8
==32717==    at 0x4036F5F: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x118912: TypedImageChannel<half>::black() (Image.h:230)
==32717==    by 0x119046: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:142)
==32717==    by 0x113D37: main (main.cpp:251)
==32717==  Address 0x5ab2c68 is 24 bytes after a block of size 16,000 in arena "client"
==32717== 

valgrind: m_mallocfree.c:280 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==32717==    at 0x5803D754: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==32717==    by 0x5803D864: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==32717==    by 0x5803D9E9: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==32717==    by 0x5804CCDC: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==32717==    by 0x58005044: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==32717==    by 0x5800528B: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==32717==    by 0x5809B0CD: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==32717==    by 0x580AACB0: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 32717)
==32717==    at 0x4030DEF: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==32717==    by 0x4B14503: __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > >::allocate(unsigned long, void const*) (new_allocator.h:111)
==32717==    by 0x4B142D7: std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > > >::allocate(std::allocator<std::_Rb_tree_node<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > >&, unsigned long) (alloc_traits.h:436)
==32717==    by 0x4B13C24: std::_Rb_tree<Imf_2_3::Name, std::pair<Imf_2_3::Name const, Imf_2_3::Channel>, std::_Select1st<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> >, std::less<Imf_2_3::Name>, std::allocator<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > >::_M_get_node() (stl_tree.h:599)
==32717==    by 0x4B12F7A: std::_Rb_tree_node<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> >* std::_Rb_tree<Imf_2_3::Name, std::pair<Imf_2_3::Name const, Imf_2_3::Channel>, std::_Select1st<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> >, std::less<Imf_2_3::Name>, std::allocator<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > >::_M_create_node<std::piecewise_construct_t const&, std::tuple<Imf_2_3::Name&&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<Imf_2_3::Name&&>&&, std::tuple<>&&) (stl_tree.h:653)
==32717==    by 0x4B1292A: std::_Rb_tree_iterator<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > std::_Rb_tree<Imf_2_3::Name, std::pair<Imf_2_3::Name const, Imf_2_3::Channel>, std::_Select1st<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> >, std::less<Imf_2_3::Name>, std::allocator<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > >::_M_emplace_hint_unique<std::piecewise_construct_t const&, std::tuple<Imf_2_3::Name&&>, std::tuple<> >(std::_Rb_tree_const_iterator<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> >, std::piecewise_construct_t const&, std::tuple<Imf_2_3::Name&&>&&, std::tuple<>&&) (stl_tree.h:2414)
==32717==    by 0x4B12504: std::map<Imf_2_3::Name, Imf_2_3::Channel, std::less<Imf_2_3::Name>, std::allocator<std::pair<Imf_2_3::Name const, Imf_2_3::Channel> > >::operator[](Imf_2_3::Name&&) (stl_map.h:518)
==32717==    by 0x4B10F23: Imf_2_3::ChannelList::insert(char const*, Imf_2_3::Channel const&) (ImfChannelList.cpp:81)
==32717==    by 0x4B10FB5: Imf_2_3::ChannelList::insert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_3::Channel const&) (ImfChannelList.cpp:88)
==32717==    by 0x119071: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:144)
==32717==    by 0x113D37: main (main.cpp:251)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

$

15/openexr

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
==342== Invalid write of size 8
==342==    at 0x4C34BD7: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x1184B8: TypedImageChannel<half>::black() (Image.h:230)
==342==    by 0x118BEC: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:142)
==342==    by 0x11386C: main (main.cpp:251)
==342==  Address 0x6c38dc0 is 0 bytes after a block of size 16,000 alloc'd
==342==    at 0x4C2EE1F: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x1171CF: Imf_2_2::Array2D<half>::resizeEraseUnsafe(long, long) (ImfArray.h:277)
==342==    by 0x116649: TypedImageChannel<half>::resize() (Image.h:222)
==342==    by 0x115F93: TypedImageChannel<half>::TypedImageChannel(Image&, int, int) (Image.h:162)
==342==    by 0x115679: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_2::Channel const&) (Image.cpp:100)
==342==    by 0x118BC4: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:141)
==342==    by 0x11386C: main (main.cpp:251)
==342== 
==342== Invalid write of size 8
==342==    at 0x4C34BDA: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x1184B8: TypedImageChannel<half>::black() (Image.h:230)
==342==    by 0x118BEC: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:142)
==342==    by 0x11386C: main (main.cpp:251)
==342==  Address 0x6c38dc8 is 8 bytes after a block of size 16,000 alloc'd
==342==    at 0x4C2EE1F: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x1171CF: Imf_2_2::Array2D<half>::resizeEraseUnsafe(long, long) (ImfArray.h:277)
==342==    by 0x116649: TypedImageChannel<half>::resize() (Image.h:222)
==342==    by 0x115F93: TypedImageChannel<half>::TypedImageChannel(Image&, int, int) (Image.h:162)
==342==    by 0x115679: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_2::Channel const&) (Image.cpp:100)
==342==    by 0x118BC4: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:141)
==342==    by 0x11386C: main (main.cpp:251)
==342== 
==342== Invalid write of size 8
==342==    at 0x4C34BDE: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x1184B8: TypedImageChannel<half>::black() (Image.h:230)
==342==    by 0x118BEC: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:142)
==342==    by 0x11386C: main (main.cpp:251)
==342==  Address 0x6c38dd0 is 16 bytes after a block of size 16,000 alloc'd
==342==    at 0x4C2EE1F: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x1171CF: Imf_2_2::Array2D<half>::resizeEraseUnsafe(long, long) (ImfArray.h:277)
==342==    by 0x116649: TypedImageChannel<half>::resize() (Image.h:222)
==342==    by 0x115F93: TypedImageChannel<half>::TypedImageChannel(Image&, int, int) (Image.h:162)
==342==    by 0x115679: Image::addChannel(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_2::Channel const&) (Image.cpp:100)
==342==    by 0x118BC4: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:141)
==342==    by 0x11386C: main (main.cpp:251)
==342== 
==342== Invalid write of size 8
==342==    at 0x4C34BE2: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x1184B8: TypedImageChannel<half>::black() (Image.h:230)
==342==    by 0x118BEC: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:142)
==342==    by 0x11386C: main (main.cpp:251)
==342==  Address 0x6c38dd8 is 24 bytes after a block of size 16,000 in arena "client"
==342== 

valgrind: m_mallocfree.c:280 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==342==    at 0x580442FA: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==342==    by 0x58044414: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==342==    by 0x58044599: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==342==    by 0x580533CC: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==342==    by 0x5800BAB4: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==342==    by 0x5800BCF9: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==342==    by 0x580A0055: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==342==    by 0x580AF6C0: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 342)
==342==    at 0x4C2E6FF: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==342==    by 0x4F2733D: __gnu_cxx::new_allocator<std::_Rb_tree_node<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > >::allocate(unsigned long, void const*) (new_allocator.h:111)
==342==    by 0x4F27111: std::allocator_traits<std::allocator<std::_Rb_tree_node<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > > >::allocate(std::allocator<std::_Rb_tree_node<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > >&, unsigned long) (alloc_traits.h:436)
==342==    by 0x4F26A5C: std::_Rb_tree<Imf_2_2::Name, std::pair<Imf_2_2::Name const, Imf_2_2::Channel>, std::_Select1st<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> >, std::less<Imf_2_2::Name>, std::allocator<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > >::_M_get_node() (stl_tree.h:588)
==342==    by 0x4F25DB6: std::_Rb_tree_node<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> >* std::_Rb_tree<Imf_2_2::Name, std::pair<Imf_2_2::Name const, Imf_2_2::Channel>, std::_Select1st<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> >, std::less<Imf_2_2::Name>, std::allocator<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > >::_M_create_node<std::piecewise_construct_t const&, std::tuple<Imf_2_2::Name&&>, std::tuple<> >(std::piecewise_construct_t const&, std::tuple<Imf_2_2::Name&&>&&, std::tuple<>&&) (stl_tree.h:642)
==342==    by 0x4F25766: std::_Rb_tree_iterator<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > std::_Rb_tree<Imf_2_2::Name, std::pair<Imf_2_2::Name const, Imf_2_2::Channel>, std::_Select1st<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> >, std::less<Imf_2_2::Name>, std::allocator<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > >::_M_emplace_hint_unique<std::piecewise_construct_t const&, std::tuple<Imf_2_2::Name&&>, std::tuple<> >(std::_Rb_tree_const_iterator<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> >, std::piecewise_construct_t const&, std::tuple<Imf_2_2::Name&&>&&, std::tuple<>&&) (stl_tree.h:2398)
==342==    by 0x4F25340: std::map<Imf_2_2::Name, Imf_2_2::Channel, std::less<Imf_2_2::Name>, std::allocator<std::pair<Imf_2_2::Name const, Imf_2_2::Channel> > >::operator[](Imf_2_2::Name&&) (stl_map.h:512)
==342==    by 0x4F23D5F: Imf_2_2::ChannelList::insert(char const*, Imf_2_2::Channel const&) (ImfChannelList.cpp:81)
==342==    by 0x4F23DF1: Imf_2_2::ChannelList::insert(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, Imf_2_2::Channel const&) (ImfChannelList.cpp:88)
==342==    by 0x118C17: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_2::Compression, bool) (makeMultiView.cpp:144)
==342==    by 0x11386C: main (main.cpp:251)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

$

12/openexr

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
==335== Invalid write of size 8
==335==    at 0x4C2F957: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==335==    by 0x4051FE: makeMultiView(std::vector<std::string, std::allocator<std::string> > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_1::Compression, bool) (makeMultiView.cpp:142)
==335==    by 0x402C48: main (main.cpp:242)
==335==  Address 0x68c39e0 is 0 bytes after a block of size 16,000 alloc'd
==335==    at 0x4C29D90: operator new[](unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==335==    by 0x404347: resizeEraseUnsafe (ImfArray.h:277)
==335==    by 0x404347: TypedImageChannel<half>::resize() (Image.h:222)
==335==    by 0x403FA5: TypedImageChannel (Image.h:162)
==335==    by 0x403FA5: Image::addChannel(std::string const&, Imf_2_1::Channel const&) (Image.cpp:100)
==335==    by 0x4051E3: makeMultiView(std::vector<std::string, std::allocator<std::string> > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_1::Compression, bool) (makeMultiView.cpp:141)
==335==    by 0x402C48: main (main.cpp:242)
==335== 

valgrind: m_mallocfree.c:278 (mk_plain_bszB): Assertion 'bszB != 0' failed.
valgrind: This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.


host stacktrace:
==335==    at 0x38053376: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x38053484: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x38053606: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x3805E13A: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x380608E7: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x38022504: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x3802272A: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x380A4D7A: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
==335==    by 0x380B38DC: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable
==335==    at 0x4C29670: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==335==    by 0x4E8084F: allocate (new_allocator.h:104)
==335==    by 0x4E8084F: _M_get_node (stl_tree.h:370)
==335==    by 0x4E8084F: _M_create_node (stl_tree.h:380)
==335==    by 0x4E8084F: _M_insert_ (stl_tree.h:1023)
==335==    by 0x4E8084F: _M_insert_unique_ (stl_tree.h:1482)
==335==    by 0x4E8084F: insert (stl_map.h:648)
==335==    by 0x4E8084F: operator[] (stl_map.h:469)
==335==    by 0x4E8084F: Imf_2_1::ChannelList::insert(char const*, Imf_2_1::Channel const&) (ImfChannelList.cpp:81)
==335==    by 0x40521B: makeMultiView(std::vector<std::string, std::allocator<std::string> > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_1::Compression, bool) (makeMultiView.cpp:144)
==335==    by 0x402C48: main (main.cpp:242)


Note: see also the FAQ in the source distribution.
It contains workarounds to several common problems.
In particular, if Valgrind aborted or crashed after
identifying problems in your program, there's a good chance
that fixing those problems will prevent Valgrind aborting or
crashing, especially if it happened in m_mallocfree.c.

If that doesn't help, please report this bug to: www.valgrind.org

In the bug report, send all the above text, the valgrind
version, and what OS and version you are using.  Thanks.

$

11/OpenEXR, 10sp3/OpenEXR

exrmultiview not available, testcase not applicable

Comment 2 Petr Gajdos 2018-11-06 16:07:36 UTC

ASAN output in TW/openexr

$ exrmultiview left poc right AllHalfValues.exr 12.exr
=================================================================
==4648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x628000003f80 at pc 0x7faa5f83be40 bp 0x7fff59d3c930 sp 0x7fff59d3c0e0
WRITE of size 16384 at 0x628000003f80 thread T0
    #0 0x7faa5f83be3f  (/usr/lib64/libasan.so.5+0x99e3f)
    #1 0x5606eba7944b in makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) /usr/src/debug/openexr-2.3.0-0.x86_64/exrmultiview/makeMultiView.cpp:142
    #2 0x5606eba6f389 in main /usr/src/debug/openexr-2.3.0-0.x86_64/exrmultiview/main.cpp:251
    #3 0x7faa5ef80fea in __libc_start_main (/lib64/libc.so.6+0x22fea)
    #4 0x5606eba6ffa9  (/usr/bin/exrmultiview+0x6fa9)

0x628000003f80 is located 0 bytes to the right of 16000-byte region [0x628000000100,0x628000003f80)
allocated by thread T0 here:
    #0 0x7faa5f88fac0 in operator new[](unsigned long) (/usr/lib64/libasan.so.5+0xedac0)
    #1 0x5606eba74d0c in Imf_2_3::Array2D<half>::resizeEraseUnsafe(long, long) ../IlmImf/ImfArray.h:277
    #2 0x5606eba74d0c in TypedImageChannel<half>::resize() /usr/src/debug/openexr-2.3.0-0.x86_64/exrmultiview/Image.h:222

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.5+0x99e3f) 
Shadow bytes around the buggy address:
  0x0c507fff87a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff87b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff87c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff87d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c507fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c507fff87f0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c507fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4648==ABORTING
$

Comment 3 Petr Gajdos 2018-11-07 07:09:34 UTC

(however, asan output contain no additional information it seems)

Comment 4 Petr Gajdos 2018-11-07 08:12:55 UTC

still on TW/openexr: use the same rounding effect as in resize()

Index: openexr-2.3.0/exrmultiview/Image.h
===================================================================
--- openexr-2.3.0.orig/exrmultiview/Image.h	2018-08-10 03:35:00.000000000 +0200
+++ openexr-2.3.0/exrmultiview/Image.h	2018-11-07 08:58:32.793819973 +0100
@@ -227,7 +227,7 @@ template <class T>
 void
 TypedImageChannel<T>::black ()
 {
-    memset(&_pixels[0][0],0,image().width()/_xSampling*image().height()/_ySampling*sizeof(T));
+    memset(&_pixels[0][0],0,image().width()/_xSampling*(image().height()/_ySampling)*sizeof(T));
 }
 

Now it has: 

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Unexpected data block y coordinate.
==2223== 8 bytes in 1 blocks are definitely lost in loss record 1 of 1
==2223==    at 0x4030DEF: operator new(unsigned long) (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2223==    by 0x546BC50: IlmThread_2_3::ThreadPool::ThreadPool(unsigned int) (IlmThreadPool.cpp:758)
==2223==    by 0x546C164: IlmThread_2_3::ThreadPool::globalThreadPool() (IlmThreadPool.cpp:838)
==2223==    by 0x4B39B53: Imf_2_3::globalThreadCount() (ImfThreading.cpp:51)
==2223==    by 0x118B15: makeMultiView(std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, std::vector<char const*, std::allocator<char const*> > const&, char const*, Imf_2_3::Compression, bool) (makeMultiView.cpp:83)
==2223==    by 0x113D37: main (main.cpp:251)
==2223== 
$

but it is the same as in bug 1113454.

Comment 5 Petr Gajdos 2018-11-07 08:20:34 UTC

https://github.com/openexr/openexr/pull/356

Comment 6 Petr Gajdos 2018-11-07 11:02:05 UTC

AFTER

15/openexr

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Unexpected data block y coordinate.
$

12/openexr

$ valgrind -q --leak-check=full exrmultiview left poc right AllHalfValues.exr 12.exr
Error reading pixel data from image file "poc". Unexpected data block y coordinate.
$

11,10sp3/OpenEXR

The bug is related to exrmultiview, which is not present in versions shipped, thus code-not-found.

Comment 7 Petr Gajdos 2018-11-07 11:02:34 UTC

Will submit for TW, 15 and 12.

Comment 8 Karol Babioch 2018-11-07 11:06:17 UTC

Really great work Petr, thanks for looking into this in such a detail. Also thanks for the upstream pull request!

Comment 9 Petr Gajdos 2018-11-07 11:08:04 UTC

I believe all fixed.

Comment 10 Swamp Workflow Management 2018-11-07 11:40:33 UTC

This is an autogenerated message for OBS integration:
This bug (1113455) was mentioned in
https://build.opensuse.org/request/show/646946 Factory / openexr

Comment 13 Swamp Workflow Management 2019-04-16 19:12:43 UTC

SUSE-SU-2019:0954-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1113455
CVE References: CVE-2018-18444
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    openexr-2.2.1-3.3.11
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    openexr-2.2.1-3.3.11

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.

Comment 14 Swamp Workflow Management 2019-04-24 15:54:31 UTC

openSUSE-SU-2019:1265-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1113455
CVE References: CVE-2018-18444
Sources used:
openSUSE Leap 15.0 (src):    openexr-2.2.1-lp150.2.3.1

Comment 17 Marcus Meissner 2019-10-28 09:36:53 UTC

was released July 24th for SLE12.

Comment 18 Swamp Workflow Management 2020-02-11 09:20:44 UTC

This is an autogenerated message for OBS integration:
This bug (1113455) was mentioned in
https://build.opensuse.org/request/show/773383 Factory / openexr