Bug 1752702 (CVE-2019-16249) - CVE-2019-16249 opencv: Out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp
Summary: CVE-2019-16249 opencv: Out-of-bounds read in hal_baseline::v_load in core/hal...
Alias: CVE-2019-16249
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1752703 1777240
Blocks: 1752704
TreeView+ depends on / blocked
Reported: 2019-09-17 03:13 UTC by Pedro Sampaio
Modified: 2019-11-29 13:42 UTC (History)
12 users (show)

Fixed In Version: opencv 4.1.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-26 19:04:56 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2019-09-17 03:13:58 UTC
OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.

Upstream issue:


Comment 1 Pedro Sampaio 2019-09-17 03:14:11 UTC
Created opencv tracking bugs for this issue:

Affects: fedora-all [bug 1752703]

Comment 3 Mauro Matteo Cascella 2019-11-26 13:32:52 UTC
Upstream fix:

Comment 4 Mauro Matteo Cascella 2019-11-26 16:33:54 UTC

This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include support for DIS optflow algorithm.
This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 8 as DIS optflow algorithm did not include support for Single Instruction, Multiple Data (SIMD).

Comment 5 Mauro Matteo Cascella 2019-11-26 16:35:06 UTC
For the DIS optflow algorithm to be vulnerable the CV_SIMD128 macro has to be defined, as the vulnerable code in computeSSDMeanNorm function is conditionally compiled based on the value of that macro. Specifically, CV_SIMD128 is defined in the header file intrin_sse.hpp which, in turn, is included by intrin.hpp if SSE support is enabled. Despite the support of SSE, the version of OpenCV shipped with Red Hat Enterprise Linux 8 is not affected by this flaw due to the header file "opencv2/core/hal/intrin.hpp" not being included in the source file dis_flow.cpp.
The commit that removed the include statement from dis_flow.cpp is https://github.com/opencv/opencv_contrib/commit/64b3bbb6201b183db37ec3d6bc47c595c150b0d3. Please note that the commit refers to opencv_contrib repository, as optflow algorithm was an "extra" module under development. The optflow algorithm has been successively moved to the central OpenCV repository in release 4.0.0 (Pull Request https://github.com/opencv/opencv/pull/13084). The missing header has been reintroduced later with a fix in commit https://github.com/opencv/opencv/commit/c96850ba599ada02dad6bd1a4271ce8f4f20e246.

Comment 6 Mauro Matteo Cascella 2019-11-26 16:39:16 UTC
Function DISOpticalFlowImpl::PatchInverseSearch_ParBody::operator() in dis_flow.cpp wrongly computes the index of the uchar array I1_ptr. Consequently, a pointer to the last 12 bytes is passed as second argument to function computeSSDMeanNorm which reads 16 bytes from it through the HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro. This leads to a 4-byte out-of-bound read in v_load function defined in intrin_sse.hpp.

Upstream fix replaces the v_load() call in HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro with v_load_expand() which only reads 8 bytes from the pointer passed as argument.

Comment 7 Product Security DevOps Team 2019-11-26 19:04:56 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.