flawfinder -m 3 --html --quiet --dataonly --context opencv-2.4.4/ > opencv-flaws.html
This analyses the source code and returns a lot of results, most of them false positive. But there are already several vulnerabilities I checked as real:
In the file opencv-2.4.4/modules/legacy/src/oneway.cpp line 1795:
There is a buffer overflow when reading long files names from a list of files. For example when executing:if (fscanf(pFile, "%s", imagename) <= 0)
./c-example-one_way_sample location scene_l.bmp scene_r.bmp
Reading the images...
Extracted 42 keypoints...
Training one way descriptors...
buffer overflow detected ***:
./c-example-one_way_sample terminated
one_way_train_0000AAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAAAAA.jpg
one_way_train_0001BBBBBBBBBBB...BBBBBBBBBBBBBBBBBBBBBBBBBB.jpg
In the file opencv-2.4.4/modules/highgui/src/cap_images.cpp line 114:
sprintf(str, filename, firstframe + currentframe);
There is a format string when reading special files names. For example:./c-example-adaptiveskindetector C:\VideoSequences\sample1\right_view\temp_%05d%n%s%s%s%s%s.jpg 0 1000
Press ESC to stop.
%n in writable segment detected ***
Abortado
Although of less concern, also there are vulnerabilities in the samples, here are two I found:
opencv-2.4.4/samples/cpp/hybridtrackingsample.cpp line 82, a buffer overflow:
sprintf(test_file, "%s", argv[1]);
opencv-2.4.4/samples/cpp/hybridtrackingsample.cpp line 85 another buffer overflow:int values_read = fscanf(f, "%s\n", vid);
References:
http://code.opencv.org/issues/2968