fix(wechat_qrcode): Init nBytes after the count value is determined

[Konano]

Merge with test case: opencv/opencv_extra#1061

A malicious crafted image will crash the wechat_qrcode module by invalid memory access.

The earliest PoC by @GZTimeWalker: https://gist.github.com/GZTimeWalker/3ca70a8af2f5830711e9cccc73fb5270

Sample image:

In DecodedBitStreamParser::decodeByteSegment, an attacker can add a byte segment with the Character Count Indicator of non-zero but empty content at the end of the data segment, where available is 0 and count is updated to 0, but nBytes remains non-zero.

opencv_contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp

Lines 193 to 200 in 960b3f6

	int nBytes = count;
	BitSource& bits(*bits_);
	// Don't crash trying to read more bits than we have available.
	int available = bits.available();
	// try to repair count data if count data is invalid
	if (count * 8 > available) {
	count = (available + 7 / 8);
	}

Since count is 0, the readBytes in L203 is a null pointer.

opencv_contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp

Lines 202 to 203 in 960b3f6

	ArrayRef<char> bytes_(count);
	char* readBytes = &(*bytes_)[0];

Then DecodedBitStreamParser::decodeByteSegment will call DecodedBitStreamParser::append, where the nBytes parameter is not 0.

opencv_contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp

Line 227 in 960b3f6

append(result, readBytes, nBytes, err_handler);

Eventually the program will crash at line 108 because it accesses a null pointer.

opencv_contrib/modules/wechat_qrcode/src/zxing/qrcode/decoder/decoded_bit_stream_parser.cpp

Line 108 in 960b3f6

result.append((const char*)bufIn, nIn);

We think the essence of the issue is that count was modified without updating nBytes, resulting in inconsistent values for the two variables. Unlike #3479, we think that the initialization of nBytes should be done after the value of count has been determined, which helps avoid other potential errors.

Moreover, we also found some wrong calculations in line 199, which are corrected together in this PR.

Also fixed #3478.

Pull Request Readiness Checklist

See details at https://github.com/opencv/opencv/wiki/How_to_contribute#making-a-good-pull-request

• I agree to contribute to the project under Apache 2 License.
• To the best of my knowledge, the proposed patch is not based on a code under GPL or another license that is incompatible with OpenCV
• The PR is proposed to the proper branch
• There is a reference to the original bug report and related work
• There is accuracy test, performance test and test data in opencv_extra repository, if applicable
  Patch to opencv_extra has the same branch name.
• The feature is well documented and sample code can be built with the project CMake

[ssst0n3]

Amazing, too fast

[k3lpi3b4nsh33]

Orz!!

[TUGOhost]

amazing

[syuy]

Cool!

[Lakr233]

LGTM

[helin0815]

太猛了哥

[KarKLi]

amazing!

[KongWeibin]

interesting

[Timon-2022]

niuwa!!!!mobai dalao!

[Naville]

ChatGPT 3.5:

What's the bug in this code?

int available = bits.available();
     // try to repair count data if count data is invalid
     if (count * 8 > available) {
         count = (available + 7 / 8);
     }

     ArrayRef<char> bytes_(count);

There is a bug in the line count = (available + 7 / 8);.
The expression 7/8 will be evaluated as integer division, resulting in a value of 0. Therefore, count will always be set to > available rather than being adjusted to the correct number of bytes needed to store the count data.
To fix the bug, the expression should be count = (available + 7) / 8;, which will correctly round up to the nearest integer number of bytes needed to store the count data.

[yilongli-tubi]

Amazing! This bug seems to just crash my WeChat client program...

[yoghurt-lee]

amazing！

[Nagico]

But today is not Thursday😂

[DapengFeng]

LGTM

[sfc9982]

Long live these volunteers! ❤️

[UPON-2021]

amazing！

[Apple-QAQ]

Too Fast!

[xieyumc]

QQ和微信都会crash

[NoahZhang1]

Cool!! Really fast

[mochaaP]

lgtm

[Konano]

@opencv-alalek @asmorkalov Would it be possible to review and merge of my pull request? Thank you very much!

[HRan2004]

666

[RJHD-GIT]

有品

[JulianSong]

LGTM

[WanliZhong]

@Konano @GZTimeWalker Hi, thanks for your contribution! Your patch will be the main branch to fix this bug. There are some comments:

1. put a test image to opencv_extra/testdata/cv/qrcode/
2. create a new pr to opencv_extra which branch name should be patch-1 in Konano’s repository.
3. then update your code in opencv_contrib, the CI test will automatically pull the new test data to test your pr
4. add test code in modules/wechat_qrcode/test/test_qrcode.cpp

   TEST(Objdetect_QRCode_bug, issue_3478) {
       auto detector = wechat_qrcode::WeChatQRCode();
       std::string image_path = findDataFile("qrcode/issue_3478.png");
       Mat src = imread(image_path, IMREAD_GRAYSCALE);
       ASSERT_FALSE(src.empty()) << "Can't read image: " << image_path;
       std::vector<std::string> outs = detector.detectAndDecode(src);
       ASSERT_EQ(1, (int) outs.size());
       ASSERT_EQ(16, (int) outs[0].size());
       ASSERT_EQ("KFCVW50         ", outs[0]);
   }

5. after testing, your method does not pass the test sample on windows platform
6. I suggest you add code at Line 202

   // issue https://github.com/opencv/opencv_contrib/issues/3478
   if (bytes_->empty())
       return;

[Konano]

@WanliZhong Thank you for your help!

You mentioned that our method did not pass the test sample on windows platform, so I checked the test logs and the error message for test failure is as follows:

unknown file: error: C++ exception with description "OpenCV(4.7.0-dev) C:\build\precommit-contrib_windows64\4.x\opencv\modules\ts\src\ts.cpp:1071: error: (-2:Unspecified error) OpenCV tests: Can't find required data file: qrcode/issue_3478.png in function 'cvtest::findData'

" thrown in the test body.

It looks like the new test case is not loaded?

[WanliZhong]

@WanliZhong Thank you for your help!

You mentioned that our method did not pass the test sample on windows platform, so I checked the test logs and the error message for test failure is as follows:

unknown file: error: C++ exception with description "OpenCV(4.7.0-dev) C:\build\precommit-contrib_windows64\4.x\opencv\modules\ts\src\ts.cpp:1071: error: (-2:Unspecified error) OpenCV tests: Can't find required data file: qrcode/issue_3478.png in function 'cvtest::findData'

" thrown in the test body.

It looks like the new test case is not loaded?

Before runing the test, you should add an env variable to refer the test data OPENCV_TEST_DATA_PATH=path/to/opencv_extra/testdata

[GZTimeWalker]

@WanliZhong All changes are applied, and we updated the branch https://github.com/Konano/opencv_extra/tree/patch-1

The error on windows x64 are caused by the wrong environment variables, we tested the code localy, it works fine.

[WanliZhong]

Good! Let's check if the test can be passed on all platform

[Henryk07]

so fast!! 厉害！

[zihaomu]

Thanks for your contribution! 👍

[zihaomu]

Please take a look. @asmorkalov, @opencv-alalek, @vpisarev.
This error only occurs in wechat_qrcode, but not in the qrcode of opencv/opencv.

[WanliZhong]

There is a slight difference between qrcode and wechat_qrcode. qrcode module will return an empty string, since the qrcode is considered to be wrong case. But wechat_qrcode will ignore the error and return "KFCVW50 "

[GZTimeWalker]

There is a slight difference between qrcode and wechat_qrcode. qrcode module will return an empty string, since the qrcode is considered to be wrong case. But wechat_qrcode will ignore the error and return "KFCVW50 "

From my point of view, since the data in the mixed mode of the QRCode is parsed from many segments, a decoder should have to output as many partially correct results as possible.

[fengyuentau]

If I understand correctly, bytes_->empty() should be equivalent to nBytes == 0. So why not using nBytes == 0 for simplicity and efficiency?

[Konano]

I think this change would be a more visual indication of the intention to avoid null pointers?

[zihaomu]

yes

[Konano]

🎉 All test cases on all platform have been passed!

[view6view]

tql，大佬

[hanxu317317]

昨天刚发现. 今天就修复~够速度 .

[7a3lv7]

Amazing

[Konano]

It seems that everything is done. Can you please review and merge? @alalek.

[hcqbuqingzhen]

NIU 大佬

[karzeoy]

amazing！

[Takeoff0518]

OrzOrzOrzOrz

[Konano]

This pr has too much attention on the internet and has been merged, maybe we should lock it to avoid too many pointless comments. @WanliZhong @zihaomu