Bug 1764731 (CVE-2019-15939) - CVE-2019-15939 opencv: division by zero in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp
Summary: CVE-2019-15939 opencv: division by zero in cv::HOGDescriptor::getDescriptorSi...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2019-15939
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1764732 1786692 1786693
Blocks: 1764734
TreeView+ depends on / blocked
 
Reported: 2019-10-23 16:23 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 21:10 UTC (History)
12 users (show)

Fixed In Version: opencv 3.4.8
Doc Type: If docs needed, set a value
Doc Text:
A divide by zero vulnerability was found in OpenCV in the way HOGDescriptor objects are created by loading their properties from a local file. Local files with no "cellSize" property may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted file that, when loaded by a victim, would cause a floating-point exception leading to a denial of service.
Clone Of:
Environment:
Last Closed: 2020-07-28 06:27:42 UTC


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-23 16:23:09 UTC
An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.

References:
https://github.com/OpenCV/opencv/issues/15287
https://github.com/opencv/opencv/pull/15382

Comment 1 Guilherme de Almeida Suckevicz 2019-10-23 16:23:22 UTC
Created opencv tracking bugs for this issue:

Affects: fedora-all [bug 1764732]

Comment 6 Mauro Matteo Cascella 2019-12-27 08:59:15 UTC
This flaw affects the implementation of Histogram of Oriented Gradients (HOG) Descriptor, an algorithm used internally by OpenCV to detect objects in digital images.

More specifically, method HOGDescriptor::getDescriptorSize() computes the remainder of the division of variables blockSize.width by cellSize.width, without ensuring that the value of cellSize.width is not zero. As a result, the code ends up dividing a value by zero, leading to a floating point exception that ultimately results in a crash of the application.

It is worth noting that those variables are set in method HOGDescriptor::read() when a HOGDescriptor object is created by loading its properties from a local file.

Comment 8 Mauro Matteo Cascella 2019-12-27 09:53:52 UTC
Mitigation:

Avoid using the Histogram of Oriented Gradients (HOG) Descriptor algorithm to detect objects in digital images. Alternatively, ensure HOGDescriptor objects are not created from external untrusted files.

Comment 9 Nicolas Chauvet (kwizart) 2020-07-28 06:27:42 UTC
Fixed in 3.4.8 and later Current version in Fedora 31 3.4.10.


Note You need to log in before you can comment on or make changes to this bug.