1764731 – (CVE-2019-15939) CVE-2019-15939 opencv: division by zero in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp

Bug 1764731 (CVE-2019-15939) - CVE-2019-15939 opencv: division by zero in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp

Summary: CVE-2019-15939 opencv: division by zero in cv::HOGDescriptor::getDescriptorSi...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	CVE-2019-15939
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1764732 1786692 1786693
Blocks:	1764734
TreeView+	depends on / blocked

Reported:	2019-10-23 16:23 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 21:10 UTC (History)
CC List:	12 users (show)
Fixed In Version:	opencv 3.4.8
Doc Type:	If docs needed, set a value
Doc Text:	A divide by zero vulnerability was found in OpenCV in the way HOGDescriptor objects are created by loading their properties from a local file. Local files with no "cellSize" property may be vulnerable to this flaw. A remote attacker could exploit this flaw by creating a specially crafted file that, when loaded by a victim, would cause a floating-point exception leading to a denial of service.
Clone Of:
Environment:
Last Closed:	2020-07-28 06:27:42 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2019-10-23 16:23:09 UTC

An issue was discovered in OpenCV 4.1.0. There is a divide-by-zero error in cv::HOGDescriptor::getDescriptorSize in modules/objdetect/src/hog.cpp.

References:
https://github.com/OpenCV/opencv/issues/15287
https://github.com/opencv/opencv/pull/15382

Comment 1 Guilherme de Almeida Suckevicz 2019-10-23 16:23:22 UTC

Created opencv tracking bugs for this issue:

Affects: fedora-all [bug 1764732]

Comment 4 Mauro Matteo Cascella 2019-12-24 11:38:22 UTC

Upstream fix:
https://github.com/opencv/opencv/pull/15382/commits/5a497077f109d543ab86dfdf8add1c76c0e47d29

Comment 6 Mauro Matteo Cascella 2019-12-27 08:59:15 UTC

This flaw affects the implementation of Histogram of Oriented Gradients (HOG) Descriptor, an algorithm used internally by OpenCV to detect objects in digital images.

More specifically, method HOGDescriptor::getDescriptorSize() computes the remainder of the division of variables blockSize.width by cellSize.width, without ensuring that the value of cellSize.width is not zero. As a result, the code ends up dividing a value by zero, leading to a floating point exception that ultimately results in a crash of the application.

It is worth noting that those variables are set in method HOGDescriptor::read() when a HOGDescriptor object is created by loading its properties from a local file.

Comment 8 Mauro Matteo Cascella 2019-12-27 09:53:52 UTC

Mitigation:

Avoid using the Histogram of Oriented Gradients (HOG) Descriptor algorithm to detect objects in digital images. Alternatively, ensure HOGDescriptor objects are not created from external untrusted files.

Comment 9 Nicolas Chauvet (kwizart) 2020-07-28 06:27:42 UTC

Fixed in 3.4.8 and later Current version in Fedora 31 3.4.10.

Note You need to log in before you can comment on or make changes to this bug.