← Back to team overview

hugin-devs team mailing list archive

[Bug 2025038] [NEW] Improper handling of values in HuginBase::PTools::Transform::transform causes assertion error in libpano13

 

*** This bug is a security vulnerability ***

Private security bug reported:

Hi there

We just want to share that the latest version (2022.0.0) of pto_merge
causes reaching assertion error, which is improper to the normal
execution.

The stack execution from the function
HuginBase::PTools::Transform::transform() checks NaN through the
function erect_lambertazimuthal(), but it causes assertion has failed
saying ‘pto_merge: math.c:846: erect_lambertazimuthal: Assertion `!
isnan(x)' failed.'

Here is the output of gdb results.

### Bug Report

(gdb) r
Starting program: /home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge ../AFLplusplus/hugin_ptomerge_jpg/default/crashes/id:000242,sig:06,src:001403,time:28753634,execs:1225769,op:havoc,rep:2 1.jpg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
pto_merge: math.c:846: erect_lambertazimuthal: Assertion `! isnan(x)' failed.

Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff48e9859 in __GI_abort () at abort.c:79
#2 0x00007ffff48e9729 in __assert_fail_base (
    fmt=0x7ffff4a7f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=0x7ffff5d93d92 "! isnan(x)", file=0x7ffff5d93d8b "math.c", line=846,
    function=<optimized out>) at assert.c:92
#3 0x00007ffff48fafd6 in __GI___assert_fail (assertion=0x7ffff5d93d92 "! isnan(x)",
    file=0x7ffff5d93d8b "math.c", line=846, function=0x7ffff5d93e60 "erect_lambertazimuthal")
    at assert.c:101
#4 0x00007ffff5d5ce68 in erect_lambertazimuthal () from /lib/x86_64-linux-gnu/libpano13.so.3
#5 0x00007ffff5d5b8d3 in execute_stack_new () from /lib/x86_64-linux-gnu/libpano13.so.3
#6 0x00007ffff733a368 in **HuginBase::PTools::Transform::transform** (this=this@entry=0x7fffffff3fc0,
    dest=..., src=...)
    at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:250
#7 0x00007ffff724a33f in HuginBase::PanoramaOptions::getVFOV (this=<optimized out>)
    at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/hugin_math/hugin_math.h:87
#8 0x00007ffff724c31e in HuginBase::PanoramaOptions::setProjectionParameters (this=0x7fffffffc530,
    params=std::vector of length 0, capacity 0)
    at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:190
#9 0x00007ffff724c859 in HuginBase::PanoramaOptions::resetProjectionParameters (this=<optimized out>)
    at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:200
#10 0x00007ffff71cd2ba in HuginBase::PanoramaMemento::loadPTScript (this=<optimized out>, i=...,
    ptoVersion=<optimized out>, prefix=...)
    at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2492
#11 0x00007ffff71f7619 in HuginBase::Panorama::readData (this=<optimized out>, dataInput=...,
    documentType=...) at /usr/include/c++/9/bits/basic_string.h:267
#12 0x000055555555e976 in main (argc=<optimized out>, argv=0x7fffffffe4c8)
    at /usr/include/c++/9/ext/new_allocator.h:80

### Envionment
OS: Ubuntu 20.04.5 LTS x86_64
Release: hugin 2022.0.0
Program: pto_merge
libhuginbase: 2020.0.0 (retrieved and compiled from source code)
libpano13: 2.9.19
To reproduce the problem, we need to build hugin:
sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" ..

### How to reproduce
$ pto_merge poc-file *.jpg
(*.jpg any name of jpg file including asterisk(*))
poc-file is attached.

** Affects: hugin
     Importance: Undecided
         Status: New

** Attachment added: "poc-file.txt"
   https://bugs.launchpad.net/bugs/2025038/+attachment/5682016/+files/poc-file.txt

-- 
You received this bug notification because you are a member of Hugin
Developers, which is subscribed to Hugin.
https://bugs.launchpad.net/bugs/2025038

Title:
  Improper handling of values in HuginBase::PTools::Transform::transform
  causes assertion error in libpano13

Status in Hugin:
  New

Bug description:
  Hi there

  We just want to share that the latest version (2022.0.0) of pto_merge
  causes reaching assertion error, which is improper to the normal
  execution.

  The stack execution from the function
  HuginBase::PTools::Transform::transform() checks NaN through the
  function erect_lambertazimuthal(), but it causes assertion has failed
  saying ‘pto_merge: math.c:846: erect_lambertazimuthal: Assertion `!
  isnan(x)' failed.'

  Here is the output of gdb results.

  ### Bug Report

  (gdb) r
  Starting program: /home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge ../AFLplusplus/hugin_ptomerge_jpg/default/crashes/id:000242,sig:06,src:001403,time:28753634,execs:1225769,op:havoc,rep:2 1.jpg
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
  pto_merge: math.c:846: erect_lambertazimuthal: Assertion `! isnan(x)' failed.

  Program received signal SIGABRT, Aborted.
  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
  50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
  (gdb) bt
  #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
  #1 0x00007ffff48e9859 in __GI_abort () at abort.c:79
  #2 0x00007ffff48e9729 in __assert_fail_base (
      fmt=0x7ffff4a7f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
      assertion=0x7ffff5d93d92 "! isnan(x)", file=0x7ffff5d93d8b "math.c", line=846,
      function=<optimized out>) at assert.c:92
  #3 0x00007ffff48fafd6 in __GI___assert_fail (assertion=0x7ffff5d93d92 "! isnan(x)",
      file=0x7ffff5d93d8b "math.c", line=846, function=0x7ffff5d93e60 "erect_lambertazimuthal")
      at assert.c:101
  #4 0x00007ffff5d5ce68 in erect_lambertazimuthal () from /lib/x86_64-linux-gnu/libpano13.so.3
  #5 0x00007ffff5d5b8d3 in execute_stack_new () from /lib/x86_64-linux-gnu/libpano13.so.3
  #6 0x00007ffff733a368 in **HuginBase::PTools::Transform::transform** (this=this@entry=0x7fffffff3fc0,
      dest=..., src=...)
      at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:250
  #7 0x00007ffff724a33f in HuginBase::PanoramaOptions::getVFOV (this=<optimized out>)
      at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/hugin_math/hugin_math.h:87
  #8 0x00007ffff724c31e in HuginBase::PanoramaOptions::setProjectionParameters (this=0x7fffffffc530,
      params=std::vector of length 0, capacity 0)
      at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:190
  #9 0x00007ffff724c859 in HuginBase::PanoramaOptions::resetProjectionParameters (this=<optimized out>)
      at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:200
  #10 0x00007ffff71cd2ba in HuginBase::PanoramaMemento::loadPTScript (this=<optimized out>, i=...,
      ptoVersion=<optimized out>, prefix=...)
      at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2492
  #11 0x00007ffff71f7619 in HuginBase::Panorama::readData (this=<optimized out>, dataInput=...,
      documentType=...) at /usr/include/c++/9/bits/basic_string.h:267
  #12 0x000055555555e976 in main (argc=<optimized out>, argv=0x7fffffffe4c8)
      at /usr/include/c++/9/ext/new_allocator.h:80

  ### Envionment
  OS: Ubuntu 20.04.5 LTS x86_64
  Release: hugin 2022.0.0
  Program: pto_merge
  libhuginbase: 2020.0.0 (retrieved and compiled from source code)
  libpano13: 2.9.19
  To reproduce the problem, we need to build hugin:
  sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" ..

  ### How to reproduce
  $ pto_merge poc-file *.jpg
  (*.jpg any name of jpg file including asterisk(*))
  poc-file is attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hugin/+bug/2025038/+subscriptions



Follow ups