[opencv] 51/53: flann: fix out of buffer access

[Nobuhiro Iwamatsu]

This is an automated email from the git hooks/post-receive script.

iwamatsu pushed a commit to annotated tag 2.4.13.3
in repository opencv.

commit 7dceebbc4e47d0fc9bee8f0c28edd674412c6096
Author: Alexander Alekhin <alexander.alekhin at intel.com>
Date:   Wed Jul 26 18:16:39 2017 +0300

    flann: fix out of buffer access
---
 modules/flann/include/opencv2/flann/lsh_table.h | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/modules/flann/include/opencv2/flann/lsh_table.h b/modules/flann/include/opencv2/flann/lsh_table.h
index cef01b2..4cf47b7 100644
--- a/modules/flann/include/opencv2/flann/lsh_table.h
+++ b/modules/flann/include/opencv2/flann/lsh_table.h
@@ -146,6 +146,7 @@ public:
      */
     LshTable()
     {
+        feature_size_ = 0;
     }
 
     /** Default constructor
@@ -156,7 +157,7 @@ public:
      */
     LshTable(unsigned int feature_size, unsigned int key_size, std::vector<size_t> & indices)
     {
-        (void)feature_size;
+        feature_size_ = feature_size;
         (void)key_size;
         (void)indices;
         std::cerr << "LSH is not implemented for that type" << std::endl;
@@ -335,6 +336,8 @@ private:
      */
     unsigned int key_size_;
 
+    unsigned int feature_size_;
+
     // Members only used for the unsigned char specialization
     /** The mask to apply to a feature to get the hash key
      * Only used in the unsigned char case
@@ -350,9 +353,10 @@ inline LshTable<unsigned char>::LshTable( unsigned int feature_size,
                                           unsigned int subsignature_size,
                                           std::vector<size_t> & indices  )
 {
+    feature_size_ = feature_size;
     initialize(subsignature_size);
     // Allocate the mask
-    mask_ = std::vector<size_t>((size_t)ceil((float)(feature_size * sizeof(char)) / (float)sizeof(size_t)), 0);
+    mask_ = std::vector<size_t>((feature_size * sizeof(char) + sizeof(size_t) - 1) / sizeof(size_t), 0);
 
     // Generate a random set of order of subsignature_size_ bits
     for (unsigned int i = 0; i < key_size_; ++i) {
@@ -391,6 +395,7 @@ inline size_t LshTable<unsigned char>::getKey(const unsigned char* feature) cons
 {
     // no need to check if T is dividable by sizeof(size_t) like in the Hamming
     // distance computation as we have a mask
+    // FIXIT: This is bad assumption, because we reading tail bytes after of the allocated features buffer
     const size_t* feature_block_ptr = reinterpret_cast<const size_t*> ((const void*)feature);
 
     // Figure out the subsignature of the feature
@@ -399,10 +404,20 @@ inline size_t LshTable<unsigned char>::getKey(const unsigned char* feature) cons
     size_t subsignature = 0;
     size_t bit_index = 1;
 
-    for (std::vector<size_t>::const_iterator pmask_block = mask_.begin(); pmask_block != mask_.end(); ++pmask_block) {
+    for (unsigned i = 0; i < feature_size_; i += sizeof(size_t)) {
         // get the mask and signature blocks
-        size_t feature_block = *feature_block_ptr;
-        size_t mask_block = *pmask_block;
+        size_t feature_block;
+        if (i <= feature_size_ - sizeof(size_t))
+        {
+            feature_block = *feature_block_ptr;
+        }
+        else
+        {
+            size_t tmp = 0;
+            memcpy(&tmp, feature_block_ptr, feature_size_ - i); // preserve bytes order
+            feature_block = tmp;
+        }
+        size_t mask_block = mask_[i / sizeof(size_t)];
         while (mask_block) {
             // Get the lowest set bit in the mask block
             size_t lowest_bit = mask_block & (-(ptrdiff_t)mask_block);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debian-science/packages/opencv.git