Headline
CVE-2021-27847: bugs found by our scanner · Issue #1236 · libvips/libvips
Division-By-Zero vulnerability in Libvips 8.10.5 in the function vips_eye_point, eye.c#L83, and function vips_mask_point, mask.c#L85.
Hi, we developed a taint analysis based static analysis tool named Vanguard. It could prognosis potential vulnerabilities by identifying security-sensitive operations (e.g. divide-zero, mod-zero, array-index-access, and sensitive function calls) without proper checks for their operands.
Some code locations are listed in the following. We think these locations maybe bugs after our manual analysis. Please check them, and add precondition checks if necessary.
Divide/Mod-Zero
1.in function vips_zoom_gen, zoom.c#L260#L266#L275
left = VIPS\_ROUND\_DOWN( r->left, zoom->xfac );
right = VIPS\_ROUND\_UP( ri, zoom->xfac );
top = VIPS\_ROUND\_DOWN( r->top, zoom->yfac );
bottom = VIPS\_ROUND\_UP( bo, zoom->yfac );
s.left = left / zoom->xfac;
s.top = top / zoom->yfac;
s.width = width / zoom->xfac;
s.height = height / zoom->yfac;
left = VIPS\_ROUND\_UP( r->left, zoom->xfac );
right = VIPS\_ROUND\_DOWN( ri, zoom->xfac );
top = VIPS\_ROUND\_UP( r->top, zoom->yfac );
bottom = VIPS\_ROUND\_DOWN( bo, zoom->yfac );
Divisor: zoom->xfac, zoom->yfac
Result: Could be 0, Please Check.
2.in function vips_point_build, point.c#L105
float range = max - min;
if( vips\_linear1( in, &t\[2\],
255.0 / range, -min \* 255.0 / range,
"uchar", TRUE,
NULL ) )
return( -1 );
in = t\[2\];
Divisor: range
Result: Could be 0, Please Check.
3.in function vips_eye_point, eye.c#L83
double h = ((point->height - 1) \* (point->height - 1));
return( y \* y \* cos( c \* x \* x ) / h );
Divisor: h
Result: Could be 0, Please Check.
4.in function vips_mask_point, mask.c#L85
dx = (double) x / half\_width;
dy = (double) y / half\_height;
Divisor: half_width, half_height
Result: Could be 0, Please Check.
Array-Index-Bound
1.in function vips_gamma_build, gamma.c#L97
scale = pow( vips_gamma_maxval[in->BandFmt], 1.0 / gamma->exponent ) / vips_gamma_maxval[in->BandFmt];
Array expression: vips_gamma_maxval[in->BandFmt]
needs bound checking: 0<=in->BandFmt<10
2.in function vips_byteswap_gen, byteswap.c#L138
SwapFn swap = vips_byteswap_swap_fn[im->BandFmt];
Array expression: vvips_byteswap_swap_fn[im->BandFmt]
needs bound checking: 0<=in->BandFmt<10
3.in function vips_byteswap_build,byteswap.c#L169
if( byteswap->in->Coding != VIPS_CODING_NONE || !vips_byteswap_swap_fn[byteswap->in->BandFmt] ) return( vips_image_write( byteswap->in, conversion->out ) );
Array expression: vips_byteswap_swap_fn[im->BandFmt]
needs bound checking: 0<=in->BandFmt<10
Sensitive-Function-Call
1.in function find_header, unpack_seek.c#L289
memcpy (wphdr, sp - 4, sizeof (\*wphdr));
[memcpy] is a security-sensitive function using tainted data: [wphdr ]
2.in function rtiff_memcpy_line, tiff2vips.c#L1219
[memcpy] is a security-sensitive function using tainted data: [len ]
3.in function tile_copy, sinkscreen.c#L843
[memcpy] is a security-sensitive function using tainted data: [len ]
4.in function vips_region_paint, region.c#L958#L987
memset( (char \*) q, value, wd );
memcpy( (char \*) q1, (char \*) q, wd );
[memset] is a security-sensitive function using tainted data: [wd ]
[memcpy] is a security-sensitive function using tainted data: [wd ]