hugin-devs team mailing list archive
-
hugin-devs team
-
Mailing list archive
-
Message #07849
[Bug 2025038] [NEW] Improper handling of values in HuginBase::PTools::Transform::transform causes assertion error in libpano13
*** This bug is a security vulnerability ***
Private security bug reported:
Hi there
We just want to share that the latest version (2022.0.0) of pto_merge
causes reaching assertion error, which is improper to the normal
execution.
The stack execution from the function
HuginBase::PTools::Transform::transform() checks NaN through the
function erect_lambertazimuthal(), but it causes assertion has failed
saying ‘pto_merge: math.c:846: erect_lambertazimuthal: Assertion `!
isnan(x)' failed.'
Here is the output of gdb results.
### Bug Report
(gdb) r
Starting program: /home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge ../AFLplusplus/hugin_ptomerge_jpg/default/crashes/id:000242,sig:06,src:001403,time:28753634,execs:1225769,op:havoc,rep:2 1.jpg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
pto_merge: math.c:846: erect_lambertazimuthal: Assertion `! isnan(x)' failed.
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff48e9859 in __GI_abort () at abort.c:79
#2 0x00007ffff48e9729 in __assert_fail_base (
fmt=0x7ffff4a7f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x7ffff5d93d92 "! isnan(x)", file=0x7ffff5d93d8b "math.c", line=846,
function=<optimized out>) at assert.c:92
#3 0x00007ffff48fafd6 in __GI___assert_fail (assertion=0x7ffff5d93d92 "! isnan(x)",
file=0x7ffff5d93d8b "math.c", line=846, function=0x7ffff5d93e60 "erect_lambertazimuthal")
at assert.c:101
#4 0x00007ffff5d5ce68 in erect_lambertazimuthal () from /lib/x86_64-linux-gnu/libpano13.so.3
#5 0x00007ffff5d5b8d3 in execute_stack_new () from /lib/x86_64-linux-gnu/libpano13.so.3
#6 0x00007ffff733a368 in **HuginBase::PTools::Transform::transform** (this=this@entry=0x7fffffff3fc0,
dest=..., src=...)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:250
#7 0x00007ffff724a33f in HuginBase::PanoramaOptions::getVFOV (this=<optimized out>)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/hugin_math/hugin_math.h:87
#8 0x00007ffff724c31e in HuginBase::PanoramaOptions::setProjectionParameters (this=0x7fffffffc530,
params=std::vector of length 0, capacity 0)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:190
#9 0x00007ffff724c859 in HuginBase::PanoramaOptions::resetProjectionParameters (this=<optimized out>)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:200
#10 0x00007ffff71cd2ba in HuginBase::PanoramaMemento::loadPTScript (this=<optimized out>, i=...,
ptoVersion=<optimized out>, prefix=...)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2492
#11 0x00007ffff71f7619 in HuginBase::Panorama::readData (this=<optimized out>, dataInput=...,
documentType=...) at /usr/include/c++/9/bits/basic_string.h:267
#12 0x000055555555e976 in main (argc=<optimized out>, argv=0x7fffffffe4c8)
at /usr/include/c++/9/ext/new_allocator.h:80
### Envionment
OS: Ubuntu 20.04.5 LTS x86_64
Release: hugin 2022.0.0
Program: pto_merge
libhuginbase: 2020.0.0 (retrieved and compiled from source code)
libpano13: 2.9.19
To reproduce the problem, we need to build hugin:
sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" ..
### How to reproduce
$ pto_merge poc-file *.jpg
(*.jpg any name of jpg file including asterisk(*))
poc-file is attached.
** Affects: hugin
Importance: Undecided
Status: New
** Attachment added: "poc-file.txt"
https://bugs.launchpad.net/bugs/2025038/+attachment/5682016/+files/poc-file.txt
--
You received this bug notification because you are a member of Hugin
Developers, which is subscribed to Hugin.
https://bugs.launchpad.net/bugs/2025038
Title:
Improper handling of values in HuginBase::PTools::Transform::transform
causes assertion error in libpano13
Status in Hugin:
New
Bug description:
Hi there
We just want to share that the latest version (2022.0.0) of pto_merge
causes reaching assertion error, which is improper to the normal
execution.
The stack execution from the function
HuginBase::PTools::Transform::transform() checks NaN through the
function erect_lambertazimuthal(), but it causes assertion has failed
saying ‘pto_merge: math.c:846: erect_lambertazimuthal: Assertion `!
isnan(x)' failed.'
Here is the output of gdb results.
### Bug Report
(gdb) r
Starting program: /home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge ../AFLplusplus/hugin_ptomerge_jpg/default/crashes/id:000242,sig:06,src:001403,time:28753634,execs:1225769,op:havoc,rep:2 1.jpg
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
pto_merge: math.c:846: erect_lambertazimuthal: Assertion `! isnan(x)' failed.
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff48e9859 in __GI_abort () at abort.c:79
#2 0x00007ffff48e9729 in __assert_fail_base (
fmt=0x7ffff4a7f588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x7ffff5d93d92 "! isnan(x)", file=0x7ffff5d93d8b "math.c", line=846,
function=<optimized out>) at assert.c:92
#3 0x00007ffff48fafd6 in __GI___assert_fail (assertion=0x7ffff5d93d92 "! isnan(x)",
file=0x7ffff5d93d8b "math.c", line=846, function=0x7ffff5d93e60 "erect_lambertazimuthal")
at assert.c:101
#4 0x00007ffff5d5ce68 in erect_lambertazimuthal () from /lib/x86_64-linux-gnu/libpano13.so.3
#5 0x00007ffff5d5b8d3 in execute_stack_new () from /lib/x86_64-linux-gnu/libpano13.so.3
#6 0x00007ffff733a368 in **HuginBase::PTools::Transform::transform** (this=this@entry=0x7fffffff3fc0,
dest=..., src=...)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:250
#7 0x00007ffff724a33f in HuginBase::PanoramaOptions::getVFOV (this=<optimized out>)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/hugin_math/hugin_math.h:87
#8 0x00007ffff724c31e in HuginBase::PanoramaOptions::setProjectionParameters (this=0x7fffffffc530,
params=std::vector of length 0, capacity 0)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:190
#9 0x00007ffff724c859 in HuginBase::PanoramaOptions::resetProjectionParameters (this=<optimized out>)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:200
#10 0x00007ffff71cd2ba in HuginBase::PanoramaMemento::loadPTScript (this=<optimized out>, i=...,
ptoVersion=<optimized out>, prefix=...)
at /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2492
#11 0x00007ffff71f7619 in HuginBase::Panorama::readData (this=<optimized out>, dataInput=...,
documentType=...) at /usr/include/c++/9/bits/basic_string.h:267
#12 0x000055555555e976 in main (argc=<optimized out>, argv=0x7fffffffe4c8)
at /usr/include/c++/9/ext/new_allocator.h:80
### Envionment
OS: Ubuntu 20.04.5 LTS x86_64
Release: hugin 2022.0.0
Program: pto_merge
libhuginbase: 2020.0.0 (retrieved and compiled from source code)
libpano13: 2.9.19
To reproduce the problem, we need to build hugin:
sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" ..
### How to reproduce
$ pto_merge poc-file *.jpg
(*.jpg any name of jpg file including asterisk(*))
poc-file is attached.
To manage notifications about this bug go to:
https://bugs.launchpad.net/hugin/+bug/2025038/+subscriptions
Follow ups
