| Titel | AprilRobotics apriltag c2172a2 Memory Corruption |
|---|
| Beschreibung | ### Description
We discovered a Segmentation Fault in apriltag. The crash occurs in the zarray_size helper function when accessed from gradient_clusters. It appears that an invalid zarray_t pointer is passed to the function, leading to a memory access violation when dereferencing za->size.
Vendor confirmed and fixed this vulnerability in commit [cfac2f5](https://github.com/AprilRobotics/apriltag/commit/cfac2f5ce1ffe2de25967eb1ab80bc5d99fc1a61).
### Environment
- OS: Linux x86_64
- Complier: Clang with -fsanitize=undefined
- Affected Version: `master branch`
### Vulnerability Details
- Target: AprilTag
- Vulnerability Type: Segmentation Fault (Invalid Pointer Dereference)
- Function: zarray_size
- Location: common/zarray.h:134 (Called from apriltag_quad_thresh.c:1798)
- Root Cause Analysis: The crash happens at this line:
```
// common/zarray.h:134
return za->size;
```
The caller gradient_clusters iterates through clusters to filter or process them.
```
// apriltag_quad_thresh.c
zarray_size(cluster) < ...
```
The pointer za (passed as 0x5601a2302a70 in the trace) points to invalid memory. This suggests that the data structure tracking the clusters (likely a hash map or an array of pointers) contains corrupted pointers, or a Use-After-Free condition has occurred regarding the cluster objects.
### Reproduce
1. Compile apriltag and the test harness.
<details>
<summary>harness.c</summary>
```
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "apriltag.h"
#include "tag36h11.h"
#include "common/image_u8.h"
int main(int argc, char **argv) {
apriltag_detector_t *td = apriltag_detector_create();
apriltag_family_t *tf = tag36h11_create();
apriltag_detector_add_family(td, tf);
td->quad_decimate = 1.0;
td->quad_sigma = 0.0;
td->nthreads = 1;
td->debug = 0;
td->refine_edges = 1;
if (argc < 2) return 1;
FILE *f = fopen(argv[1], "rb");
if (!f) return 1;
fseek(f, 0, SEEK_END);
long file_size = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char *file_data = malloc(file_size);
if (!file_data) { fclose(f); return 1; }
fread(file_data, 1, file_size, f);
fclose(f);
unsigned char *buf = file_data;
do {
int len = (int)file_size;
if (len < 5) continue;
uint16_t width = (*(uint16_t *)buf) % 512;
uint16_t height = (*(uint16_t *)(buf + 2)) % 512;
if (width == 0) width = 1;
if (height == 0) height = 1;
int needed_pixels = width * height;
int available_pixels = len - 4;
if (available_pixels < needed_pixels) {
height = available_pixels / width;
if (height == 0) continue;
}
image_u8_t *im = image_u8_create(width, height);
if (!im) continue;
memcpy(im->buf, buf + 4, width * height);
zarray_t *detections = apriltag_detector_detect(td, im);
apriltag_detections_destroy(detections);
image_u8_destroy(im);
} while (0);
free(file_data);
apriltag_detector_remove_family(td, tf);
tag36h11_destroy(tf);
apriltag_detector_destroy(td);
return 0;
}
```
</details>
2. Run the harness with the attached [repro](https://github.com/oneafter/0120/blob/main/repro) input:
```
gdb --args ./harness
run repro
bt
```
GDB report
```
Starting program: /src/apriltag/harness repro
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00005604c1ac7058 in zarray_size (za=0x5601a2302a70) at ./common/zarray.h:134
134 return za->size;
(gdb) bt
#0 0x00005604c1ac7058 in zarray_size (za=0x5601a2302a70)
at ./common/zarray.h:134
#1 gradient_clusters (td=td@entry=0x5604c27c02a0,
threshim=threshim@entry=0x5604c27c0d10, w=w@entry=320, h=<optimized out>,
ts=ts@entry=384, uf=uf@entry=0x5604c27c0dd0) at apriltag_quad_thresh.c:1798
#2 0x00005604c1aca645 in apriltag_quad_thresh (td=td@entry=0x5604c27c02a0,
im=im@entry=0x5604c27c0920) at apriltag_quad_thresh.c:1920
#3 0x00005604c1a94a34 in apriltag_detector_detect (
td=td@entry=0x5604c27c02a0, im_orig=im_orig@entry=0x5604c27c0920)
at apriltag.c:1110
#4 0x00005604c1a91b6c in main (argc=<optimized out>, argv=<optimized out>)
at harness4.c:78
```
```
Starting program: /src/apriltag/harness repro
warning: Error disabling address space randomization: Operation not permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGILL, Illegal instruction.
0x0000559f6128e93b in zarray_size (za=0x559a384d8609) at ./common/zarray.h:134
134 return za->size;
(gdb) bt
#0 0x0000559f6128e93b in zarray_size (za=0x559a384d8609)
at ./common/zarray.h:134
#1 gradient_clusters (td=td@entry=0x559f61bb92a0,
threshim=threshim@entry=0x559f61bb9d10, w=w@entry=320, h=<optimized out>,
ts=ts@entry=384, uf=uf@entry=0x559f61bb9dd0) at apriltag_quad_thresh.c:1798
#2 0x0000559f61291645 in apriltag_quad_thresh (td=td@entry=0x559f61bb92a0,
im=im@entry=0x559f61bb9920) at apriltag_quad_thresh.c:1920
#3 0x0000559f6125ba34 in apriltag_detector_detect (
td=td@entry=0x559f61bb92a0, im_orig=im_orig@entry=0x559f61bb9920)
at apriltag.c:1110
#4 0x0000559f61258b6c in main (argc=<optimized out>, argv=<optimized out>)
at harness4.c:78
``` |
|---|
| Quelle | ⚠️ https://github.com/AprilRobotics/apriltag/issues/422 |
|---|
| Benutzer | Oneafter (UID 92781) |
|---|
| Einreichung | 06.02.2026 04:24 (vor 4 Monaten) |
|---|
| Moderieren | 09.02.2026 13:15 (3 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 344994 [AprilRobotics apriltag bis 3.4.5 apriltag.c apriltag_detector_detect Pufferüberlauf] |
|---|
| Punkte | 20 |
|---|