CVE-2019-14493

CVE-2019-14493: NULL Pointer Dereference in OpenCV XML Parsing

A NULL pointer dereference vulnerability exists in OpenCV versions prior to 4.1.1. The flaw resides in the cv::XMLParser::parse function within modules/core/src/persistence.cpp [2]. Specifically, when parsing an XML file, the function does not properly validate a pointer returned from skipSpaces, leading to a null pointer dereference at line 795 of persistence_xml.cpp [4]. This issue was reported via a bug report demonstrating a crash triggered by a specially crafted input [4].

The vulnerability can be exploited by providing a malicious XML file to an application using OpenCV's file storage or cascade classifier loading capabilities [4]. No authentication is required, as the attacker only needs to supply the crafted file, for example through an upload feature or network service that processes user-supplied XML. The crash occurs during the parsing stage, making it possible to deny service to the application without any prior privileges.

The impact is a denial of service (DoS) condition. An attacker can cause the application to terminate abruptly due to a segmentation fault, as shown in the AddressSanitizer report from the bug report [4]. This can be used to disrupt services relying on OpenCV, such as image processing pipelines or computer vision applications that load configuration or cascade files.

The issue is fixed in OpenCV version 4.1.1. Users are advised to update to this version or later to mitigate the vulnerability [2][3]. There is no indication as of the publication date that this CVE has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The fix can be verified by referencing the commit diff between versions [2].