OpenCV 4.1.1 has an out-of-bounds read in hal_baseline::v_load in core/hal/intrin_sse.hpp when called from computeSSDMeanNorm in modules/video/src/dis_flow.cpp.
Created opencv tracking bugs for this issue:
Affects: fedora-all [bug 1752703]
This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 6, and 7 as they did not include support for DIS optflow algorithm.
This issue did not affect the versions of OpenCV as shipped with Red Hat Enterprise Linux 8 as DIS optflow algorithm did not include support for Single Instruction, Multiple Data (SIMD).
For the DIS optflow algorithm to be vulnerable the CV_SIMD128 macro has to be defined, as the vulnerable code in computeSSDMeanNorm function is conditionally compiled based on the value of that macro. Specifically, CV_SIMD128 is defined in the header file intrin_sse.hpp which, in turn, is included by intrin.hpp if SSE support is enabled. Despite the support of SSE, the version of OpenCV shipped with Red Hat Enterprise Linux 8 is not affected by this flaw due to the header file "opencv2/core/hal/intrin.hpp" not being included in the source file dis_flow.cpp.
The commit that removed the include statement from dis_flow.cpp is https://github.com/opencv/opencv_contrib/commit/64b3bbb6201b183db37ec3d6bc47c595c150b0d3. Please note that the commit refers to opencv_contrib repository, as optflow algorithm was an "extra" module under development. The optflow algorithm has been successively moved to the central OpenCV repository in release 4.0.0 (Pull Request https://github.com/opencv/opencv/pull/13084). The missing header has been reintroduced later with a fix in commit https://github.com/opencv/opencv/commit/c96850ba599ada02dad6bd1a4271ce8f4f20e246.
Function DISOpticalFlowImpl::PatchInverseSearch_ParBody::operator() in dis_flow.cpp wrongly computes the index of the uchar array I1_ptr. Consequently, a pointer to the last 12 bytes is passed as second argument to function computeSSDMeanNorm which reads 16 bytes from it through the HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro. This leads to a 4-byte out-of-bound read in v_load function defined in intrin_sse.hpp.
Upstream fix replaces the v_load() call in HAL_PROCESS_BILINEAR_8x8_PATCH_EXTRACTION macro with v_load_expand() which only reads 8 bytes from the pointer passed as argument.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):