Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow in lib/openjp2/pi.c:623 #1293

Closed
zodf0055980 opened this issue Dec 1, 2020 · 4 comments
Closed

Heap-buffer-overflow in lib/openjp2/pi.c:623 #1293

zodf0055980 opened this issue Dec 1, 2020 · 4 comments

Comments

@zodf0055980
Copy link
Contributor

zodf0055980 commented Dec 1, 2020
edited

I found a heap buffer overflow in the current master (61ff143).
I build openjpeg with ASAN, this is ASAN report.
POC picture :
sample

➜  ~ /openjpeg/build/bin/opj_compress  -o ./a.j2c -POC T1=0,4,0,0,0,CPRL -IMF 2K_R -i ./sample.png 
IMF profile activated
Other options specified could be overridden

[WARNING] IMF profile forbid POC markers.
-> Compression parameters set 1 POC.
-> Non-IMF codestream will be generated
[ERROR] Missing packets possible loss of data
[INFO] tile number 1 / 1
=================================================================
==17851==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000020d0 at pc 0x7fa70a2a1c95 bp 0x7fffd239c230 sp 0x7fffd239c220
READ of size 4 at 0x6070000020d0 thread T0
    #0 0x7fa70a2a1c94 in opj_pi_next_cprl /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:621
    #1 0x7fa70a2a1c94 in opj_pi_next /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:2112
    #2 0x7fa70a3255cc in opj_t2_encode_packets /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:328
    #3 0x7fa70a3499ee in opj_tcd_t2_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:2562
    #4 0x7fa70a3499ee in opj_tcd_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1465
    #5 0x7fa70a22366d in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:4813
    #6 0x7fa70a22366d in opj_j2k_write_first_tile_part /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12640
    #7 0x7fa70a22366d in opj_j2k_post_write_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12396
    #8 0x7fa70a25b8dd in opj_j2k_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12145
    #9 0x5584c8bdab75 in main /home/yuan/afl-target/openjpeg/src/bin/jp2/opj_compress.c:2206
    #10 0x7fa709370bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x5584c8bdfd69 in _start (/home/yuan/afl-target/openjpeg/build/bin/opj_compress+0x1ad69)

0x6070000020d0 is located 8 bytes to the right of 72-byte region [0x607000002080,0x6070000020c8)
allocated by thread T0 here:
    #0 0x7fa70a659d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x7fa70a28faa7 in opj_pi_create /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:1024

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:621 in opj_pi_next_cprl
Shadow bytes around the buggy address:
  0x0c0e7fff83c0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff83d0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff83e0: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
  0x0c0e7fff83f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fff8400: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0e7fff8410: 00 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa fa
  0x0c0e7fff8420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17851==ABORTING

The error -POC with -IMF cause this problem.
IF the -POC compStart more than 3. It have heap-buffer-overflow read.
@zodf0055980
Copy link
Contributor Author

I think this is the same problem
POC : qq

➜  ~ ~/afl-target/openjpeg/build/bin/opj_compress -o ./a.j2k -POC T1=0,7,0,0,0,CPRL -IMF 2K -i ~/Downloads/qq.png

IMF profile activated
Other options specified could be overridden

[WARNING] IMF profiles require at most 3 components.
-> Number of components of input image (4) is not compliant
-> Non-IMF codestream will be generated
[WARNING] IMF profile forbid POC markers.
-> Compression parameters set 1 POC.
-> Non-IMF codestream will be generated
[ERROR] Missing packets possible loss of data
[INFO] tile number 1 / 1
ASAN:DEADLYSIGNAL
=================================================================
==27683==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8000 (pc 0x7f0957c1e17b bp 0x6080000003d0 sp 0x7ffc1640eb40 T0)
==27683==The signal is caused by a READ memory access.
    #0 0x7f0957c1e17a in opj_pi_next_cprl /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:624
    #1 0x7f0957c1e17a in opj_pi_next /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:2112
    #2 0x7f0957ca75cc in opj_t2_encode_packets /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:328
    #3 0x7f0957ccb9ee in opj_tcd_t2_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:2562
    #4 0x7f0957ccb9ee in opj_tcd_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1465
    #5 0x7f0957ba566d in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:4813
    #6 0x7f0957ba566d in opj_j2k_write_first_tile_part /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12640
    #7 0x7f0957ba566d in opj_j2k_post_write_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12396
    #8 0x7f0957bdd8dd in opj_j2k_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12145
    #9 0x55f1f9469b75 in main /home/yuan/afl-target/openjpeg/src/bin/jp2/opj_compress.c:2206
    #10 0x7f0956cf2bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x55f1f946ed69 in _start (/home/yuan/afl-target/openjpeg/build/bin/opj_compress+0x1ad69)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:624 in opj_pi_next_cprl
==27683==ABORTING

It causes SEGV on an unknown address.

rouault added a commit to rouault/openjpeg that referenced this issue Dec 1, 2020
@rouault
opj_j2k_setup_encoder(): validate POC compno0 and compno1 (fixes uclo…
ece9c9b 
…uvain#1293)
@rouault rouault closed this as completed in c9380ed Dec 2, 2020
rouault added a commit that referenced this issue Dec 2, 2020
@rouault
Merge pull request #1295 from rouault/fix_1293
18b1138 
opj_j2k_setup_encoder(): validate POC compno0 and compno1 (fixes #1293)
@zodf0055980
Copy link
Contributor Author

I found a new POC can trigger it when -POC compStart = 3 in commit 18b1138
POC : sample

➜  ~/openjpeg/build/bin/opj_compress -i ./sample.png -o ./a.j2k -POC T1=3,3,3,3,3,CPRL -IMF 2K
IMF profile activated
Other options specified could be overridden

[WARNING] IMF profiles require at most 3 components.
-> Number of components of input image (4) is not compliant
-> Non-IMF codestream will be generated
[WARNING] IMF profile forbid POC markers.
-> Compression parameters set 1 POC.
-> Non-IMF codestream will be generated
[ERROR] Missing packets possible loss of data
[INFO] tile number 1 / 1
=================================================================
==12653==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000608 at pc 0x7f0905d31a4e bp 0x7fff9a776c20 sp 0x7fff9a776c10
READ of size 4 at 0x608000000608 thread T0
    #0 0x7f0905d31a4d in opj_pi_next_cprl /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:621
    #1 0x7f0905d31a4d in opj_pi_next /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:2112
    #2 0x7f0905db470b in opj_t2_encode_packets /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:328
    #3 0x7f0905dd8786 in opj_tcd_t2_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:2562
    #4 0x7f0905dd8786 in opj_tcd_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1465
    #5 0x7f0905ca7afc in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:4813
    #6 0x7f0905cb4195 in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12710
    #7 0x7f0905cb4195 in opj_j2k_write_all_tile_parts /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12715
    #8 0x7f0905cb4195 in opj_j2k_post_write_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12411
    #9 0x7f0905cea989 in opj_j2k_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12152
    #10 0x55ae2ad50d52 in main /home/yuan/afl-target/openjpeg/src/bin/jp2/opj_compress.c:2206
    #11 0x7f0904dffbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #12 0x55ae2ad56309 in _start (/home/yuan/afl-target/openjpeg/build/bin/opj_compress+0x1b309)

0x608000000608 is located 8 bytes to the right of 96-byte region [0x6080000005a0,0x608000000600)
allocated by thread T0 here:
    #0 0x7f09060e9d28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x7f0905d1ecef in opj_pi_create /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:1024

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:621 in opj_pi_next_cprl
Shadow bytes around the buggy address:
  0x0c107fff8070: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8080: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff8090: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c107fff80b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff80c0: fa[fa]fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff80d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff80f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12653==ABORTING

@zodf0055980
Copy link
Contributor Author

I found a new POC can trigger it when -POC compStart = 2 in commit 18b1138
POC : sample2

➜  ~ /openjpeg/build/bin/opj_compress -o ./a.jp2 -POC T1=2,2,2,2,2,CPRL -TP R -i ./sample2.png

libpng warning: dRNS: CRC error
[ERROR] Missing packets possible loss of data
[INFO] tile number 1 / 1
=================================================================
==7182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000018f0 at pc 0x7f9b56127a4e bp 0x7ffd3f3036b0 sp 0x7ffd3f3036a0
READ of size 4 at 0x6070000018f0 thread T0
    #0 0x7f9b56127a4d in opj_pi_next_cprl /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:621
    #1 0x7f9b56127a4d in opj_pi_next /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:2112
    #2 0x7f9b561aa70b in opj_t2_encode_packets /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:328
    #3 0x7f9b561ce786 in opj_tcd_t2_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:2562
    #4 0x7f9b561ce786 in opj_tcd_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1465
    #5 0x7f9b5609dafc in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:4813
    #6 0x7f9b560aa195 in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12710
    #7 0x7f9b560aa195 in opj_j2k_write_all_tile_parts /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12715
    #8 0x7f9b560aa195 in opj_j2k_post_write_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12411
    #9 0x7f9b560e0989 in opj_j2k_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12152
    #10 0x556e51f22d52 in main /home/yuan/afl-target/openjpeg/src/bin/jp2/opj_compress.c:2206
    #11 0x7f9b551f5bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #12 0x556e51f28309 in _start (/home/yuan/afl-target/openjpeg/build/bin/opj_compress+0x1b309)

0x6070000018f0 is located 8 bytes to the right of 72-byte region [0x6070000018a0,0x6070000018e8)
allocated by thread T0 here:
    #0 0x7f9b564dfd28 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xded28)
    #1 0x7f9b56114cef in opj_pi_create /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:1024

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yuan/afl-target/openjpeg/src/lib/openjp2/pi.c:621 in opj_pi_next_cprl
Shadow bytes around the buggy address:
  0x0c0e7fff82c0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e7fff82d0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0e7fff82e0: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff82f0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8300: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fa
=>0x0c0e7fff8310: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa[fa]fa
  0x0c0e7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7182==ABORTING

rouault added a commit to rouault/openjpeg that referenced this issue Dec 2, 2020
@rouault
pi.c: avoid out of bounds access with POC (refs uclouvain#1293 (comment)
2cc6b15 
)
rouault added a commit to rouault/openjpeg that referenced this issue Dec 2, 2020
@rouault
pi.c: avoid out of bounds access with POC (refs uclouvain#1293 (comment)
00383e1 
)
rouault added a commit that referenced this issue Dec 2, 2020
@rouault
Merge pull request #1300 from rouault/complement_1293
fb9eae5 
pi.c: avoid out of bounds access with POC (refs #1293 (comment))
@zodf0055980
Copy link
Contributor Author

CVE-2020-27841 was assigned for this issue.

clrpackages pushed a commit to clearlinux-pkgs/openjpeg that referenced this issue Jan 7, 2021
@phmccarty
openjpeg: Autospec creation for update from version 2.3.1 to version …
c0ec516 
…2.4.0

Antonin Descampe (2):
      Update version number for automatic abi check
      Comment back opj_previous_version in abi_check.sh

Eduardo Barretto (1):
      jp3d/jpwl/mj2/jpip: Fix resource leaks (#1226)

Even Rouault (63):
      j2k.c: use correct naming convention for total_data_size variable
      compression: emit POC marker when only one single POC is requested (fixes #1191)
      opj_j2k_check_poc_val(): fix starting index for checking layer dimension
      opj_j2k_check_poc_val(): prevent potential write outside of allocated array
      Add test for previous commit
      Fix POC in multi-tile scenarios: avoid almost endless loop when a tile has no POC settings
      Add test for previous commit
      Change opj_j2k_check_poc_val() to take into account tile number
      test_decode_area.c: assign tdy to *ptileh instead of *ptilew (fixes #1195)
      opj_decompress_fuzzer: remove checks regarding input dimensions (fixes #1079)
      opj_tcd_mct_decode()/opj_mct_decode()/opj_mct_encode_real()/opj_mct_decode_real(): proper deal with a number of samples larger than 4 billion (refs #1151)
      pi.c: avoid integer overflow, resulting in later invalid access to memory in opj_t2_decode_packets(). Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18979
      abi-check.sh: fix false postive ABI error, and display output error log
      opj_j2k_update_image_dimensions(): reject images whose coordinates are beyond INT_MAX (fixes #1228)
      opj_tcd_init_tile(): avoid integer overflow
      tests: add alternate checksums for libtiff 4.1
      openjpeg.h: fix values of OPJ_PROFILE_IMF_ constants
      Implement writing of IMF profiles
      opj_compress: improve help message regarding new IMF switch
      opj_decompress: add sanity checks to avoid segfault in case of decoding error
      Rename mis-named function opj_tcd_get_encoded_tile_size() to opj_tcd_get_encoder_input_buffer_size()
      Fix warnings about signed/unsigned casts in pi.c
      struct opj_j2k: remove unused fields, and add some documentation
      Add support for generation of PLT markers in encoder
      Add multithreading support in the T1 (entropy phase) encoder
      Add multithreaded support in the DWT encoder.
      dwt.c: change sign of constants to match standard and compensate (no functional change)
      Encoder: use floating-point operations for irreversible transformation
      tcd.c: add comment
      compare_images.c: code reformatting
      Testing: revise testing of lossy encoding by comparing PEAK and MSE with original image
      opj_mct_encode_real(): add SSE optimization
      opj_j2k_setup_encoder(): add validation of tile width and height to avoid potential division by zero
      opj_dwt_encode_1_real(): avoid many bound comparisons, similarly to decoding side
      Irreversible decoding: align code more closely to the standard by avoid messing up with stepsize (no functional change)
      Irreversible compression/decompression DWT: use 1/K constant as per standard
      Irreversible decoding: partially revert previous commit, to fix failures in test suite
      bench_dwt.c: add a -I switch to test irreversible FWDT/IDWT
      Speed-up 9x7 IDWD by ~20%
      Remove useless + 5U margin in opj_dwt_decode_tile_97()
      Speed-up 9x7 IDWD by ~30% with OPJ_NUM_THREADS=2
      Forward DWT: small code refactoring to allow future improvements for the horizontal pass
      Forward DWT 5x3: performance improvements in horizontal pass, and modest in vertical pass
      dwt.c: remove unused typedef
      Forward DWT: small code refactoring to allow future improvements for the vertical pass
      Forward DWT 5-3: major speed up by vectorizing vertical pass
      Forward DWT 9-7: major speed up by vectorizing vertical pass
      T1 encoder: speed-up by aggressive inlining and more cache friendly data organization
      opj_decompress: fix double-free on input directory with mix of valid and invalid images (CVE-2020-15389)
      Encoder: avoid uint32 overflow when allocating memory for codestream buffer (fixes #1243)
      Fix typo in internal function name
      Encoder: grow buffer size in opj_tcd_code_block_enc_allocate_data() to avoid write heap buffer overflow in opj_mqc_flush (fixes #1283)
      Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)
      Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC
      pngtoimage(): fix wrong computation of x1,y1 if -d option is used, that would result in a heap buffer overflow (fixes #1284)
      Encoder: avoid global buffer overflow on irreversible conversion when too many decomposition levels are specified (fixes #1286)
      opj_t2_encode_packet(): avoid out of bound access of #1294, but likely not the proper fix
      opj_j2k_setup_encoder(): validate POC compno0 (fixes #1293)
      opj_t2_encode_packet(): avoid out of bound access of #1297, but likely not the proper fix
      pi.c: avoid out of bounds access with POC (refs uclouvain/openjpeg#1293 (comment))
      opj_j2k_write_sod(): avoid potential heap buffer overflow (fixes #1299) (probably master only)
      pi.c: avoid out of bounds access with POC (fixes #1302)
      Prepare for v2.4.0

Jamaika1 (1):
      Change defined WIN32

Lemures Lemniscati (1):
      Set ${OPENJPEG_INSTALL_DOC_DIR} to DESTINATION of HTMLs

Matthew Sharp (1):
      Use INC_DIR for OPENJPEG_INCLUDE_DIRS (fixes uclouvain#1174)

Max Moroz (1):
      tests/fuzzers: link fuzz binaries using $LIB_FUZZING_ENGINE. (#1230)

Pei JIA (1):
      Bump Java compatibility from 1.5 to 1.6 (#1263)

Robert Ancell (1):
      JPWL: convert: Fix buffer overflow reading an image file less than four characters (#1196)

Sebastian Rasmussen (6):
      openjp2/j2k: Report error if all wanted components are not decoded.
      openjp2/j2k: Make comments adhere to specification.
      openjp2/j2k: Validate all SGcod/SPcod/SPcoc parameter values.
      openjp2: Error out if failing to create Tier 1 handle.
      openjp2: Plug memory leak when setting data as TLS fails.
      openjp2: Plug image leak when failing to allocate codestream index.

Tim Gates (1):
      docs: fix simple typo, producted -> produced

Young Xiao (2):
      convertbmp: detect invalid file dimensions early
      bmp_read_rle4_data(): avoid potential infinite loop

szukw000 (2):
      color_apply_icc_profile: add checks on the number of components (#1236)
      Testing for invalid values of width, height, numcomps (#1254)

yuan (3):
      Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)
      Free p_tcd_marker_info to avoid memory leak
      Encoder: grow again buffer size in opj_tcd_code_block_enc_allocate_data() (fixes #1283)
DanielHeath pushed a commit to radiopaedia/openjpeg that referenced this issue Sep 21, 2021
@rouault @DanielHeath
opj_j2k_setup_encoder(): validate POC compno0 (fixes uclouvain#1293)
95b6cf3
DanielHeath pushed a commit to radiopaedia/openjpeg that referenced this issue Sep 21, 2021
@rouault @DanielHeath
pi.c: avoid out of bounds access with POC (refs uclouvain#1293 (comment)
ee09914 
)
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this issue Apr 29, 2022
@pmu-ipf
openjpeg: Update to version 2.4.0
ca98d29 
- Update from version 2.3.1 to 2.4.0
- Update of rootfile
- Changelog
    2.4.0
	**Closed issues:**
		- OPENJPEG\_INSTALL\_DOC\_DIR does not control a destination directory where HTML docs would be installed. [\#1309](uclouvain/openjpeg#1309)
		- Heap-buffer-overflow in lib/openjp2/pi.c:312 [\#1302](uclouvain/openjpeg#1302)
		- Heap-buffer-overflow in lib/openjp2/t2.c:973 [\#1299](uclouvain/openjpeg#1299)
		- Heap-buffer-overflow in lib/openjp2/pi.c:623 [\#1293](uclouvain/openjpeg#1293)
		- Global-buffer-overflow in lib/openjp2/dwt.c:1980 [\#1286](uclouvain/openjpeg#1286)
		- Heap-buffer-overflow in lib/openjp2/tcd.c:2417 [\#1284](uclouvain/openjpeg#1284)
		- Heap-buffer-overflow in lib/openjp2/mqc.c:499 [\#1283](uclouvain/openjpeg#1283)
		- Openjpeg could not encode 32bit RGB float image [\#1281](uclouvain/openjpeg#1281)
		- Openjpeg could not encode 32bit RGB float image [\#1280](uclouvain/openjpeg#1280)
		- ISO/IEC 15444-1:2019 \(E\) compared with 'cio.h' [\#1277](uclouvain/openjpeg#1277)
		- Test-suite failure due to hash mismatch [\#1264](uclouvain/openjpeg#1264)
		- Heap use-after-free [\#1261](uclouvain/openjpeg#1261)
		- Memory leak when failing to allocate object... [\#1259](uclouvain/openjpeg#1259)
		- Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... [\#1257](uclouvain/openjpeg#1257)
		- Any plan to build release for CVE-2020-8112/CVE-2020-6851 [\#1247](uclouvain/openjpeg#1247)
		- failing to convert 16-bit file: opj\_t2\_encode\_packet\(\): only 5251 bytes remaining in output buffer. 5621 needed. [\#1243](uclouvain/openjpeg#1243)
		- CMake+VS2017 Compile OK, thirdparty Compile OK, but thirdparty not install [\#1239](uclouvain/openjpeg#1239)
		- New release to solve CVE-2019-6988 ? [\#1238](uclouvain/openjpeg#1238)
		- Many tests fail to pass after the update of libtiff to version 4.1.0 [\#1233](uclouvain/openjpeg#1233)
		- Another heap buffer overflow in libopenjp2 [\#1231](uclouvain/openjpeg#1231)
		- Heap buffer overflow in libopenjp2 [\#1228](uclouvain/openjpeg#1228)
		- Endianness of binary volume \(JP3D\) [\#1224](uclouvain/openjpeg#1224)
		- New release to resolve CVE-2019-12973 [\#1222](uclouvain/openjpeg#1222)
		- how to set the block size,like 128,256 ? [\#1216](uclouvain/openjpeg#1216)
		- compress YUV files to motion jpeg2000 standard [\#1213](uclouvain/openjpeg#1213)
		- Repair/update Java wrapper, and include in release [\#1208](uclouvain/openjpeg#1208)
		- abc [\#1206](uclouvain/openjpeg#1206)
		- Slow decoding [\#1202](uclouvain/openjpeg#1202)
		- Installation question [\#1201](uclouvain/openjpeg#1201)
		- Typo in test\_decode\_area - \*ptilew is assigned instead of \*ptileh [\#1195](uclouvain/openjpeg#1195)
		- Creating a J2K file with one POC is broken [\#1191](uclouvain/openjpeg#1191)
		- Make fails on Arch Linux [\#1174](uclouvain/openjpeg#1174)
		- Heap buffer overflow in opj\_t1\_clbl\_decode\_processor\(\) triggered with Ghostscript [\#1158](uclouvain/openjpeg#1158)
		- opj\_stream\_get\_number\_byte\_left: Assertion `p\_stream-\>m\_byte\_offset \>= 0' failed. [\#1151](uclouvain/openjpeg#1151)
		- The fuzzer ignores too many inputs [\#1079](uclouvain/openjpeg#1079)
		- out of bounds read [\#1068](uclouvain/openjpeg#1068)
	**Merged pull requests:**
		- Change defined WIN32 [\#1310](uclouvain/openjpeg#1310) ([Jamaika1](https://github.com/Jamaika1))
		- docs: fix simple typo, producted -\> produced [\#1308](uclouvain/openjpeg#1308) ([timgates42](https://github.com/timgates42))
		- Set ${OPENJPEG\_INSTALL\_DOC\_DIR} to DESTINATION of HTMLs [\#1307](uclouvain/openjpeg#1307) ([lemniscati](https://github.com/lemniscati))
		- Use INC\_DIR for OPENJPEG\_INCLUDE\_DIRS \(fixes uclouvain\#1174\) [\#1306](uclouvain/openjpeg#1306) ([matthew-sharp](https://github.com/matthew-sharp))
		- pi.c: avoid out of bounds access with POC \(fixes \#1302\) [\#1304](uclouvain/openjpeg#1304) ([rouault](https://github.com/rouault))
		- Encoder: grow again buffer size [\#1303](uclouvain/openjpeg#1303) ([zodf0055980](https://github.com/zodf0055980))
		- opj\_j2k\_write\_sod\(\): avoid potential heap buffer overflow \(fixes \#1299\) \(probably master only\) [\#1301](uclouvain/openjpeg#1301) ([rouault](https://github.com/rouault))
		- pi.c: avoid out of bounds access with POC \(refs uclouvain/openjpeg#1293) [\#1300](uclouvain/openjpeg#1300) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1297, but likely not the proper fix [\#1298](uclouvain/openjpeg#1298) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1294, but likely not the proper fix [\#1296](uclouvain/openjpeg#1296) ([rouault](https://github.com/rouault))
		- opj\_j2k\_setup\_encoder\(\): validate POC compno0 and compno1 \(fixes \#1293\) [\#1295](uclouvain/openjpeg#1295) ([rouault](https://github.com/rouault))
		- Encoder: avoid global buffer overflow on irreversible conversion when… [\#1292](uclouvain/openjpeg#1292) ([rouault](https://github.com/rouault))
		- Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC [\#1291](uclouvain/openjpeg#1291) ([rouault](https://github.com/rouault))
		- Free p\_tcd\_marker\_info to avoid memory leak [\#1288](uclouvain/openjpeg#1288) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: grow again buffer size [\#1287](uclouvain/openjpeg#1287) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: avoid uint32 overflow when allocating memory for codestream buffer \(fixes \#1243\) [\#1276](uclouvain/openjpeg#1276) ([rouault](https://github.com/rouault))
		- Java compatibility from 1.5 to 1.6 [\#1263](uclouvain/openjpeg#1263) ([jiapei100](https://github.com/jiapei100))
		- opj\_decompress: fix double-free on input directory with mix of valid and invalid images [\#1262](uclouvain/openjpeg#1262) ([rouault](https://github.com/rouault))
		- openjp2: Plug image leak when failing to allocate codestream index. [\#1260](uclouvain/openjpeg#1260) ([sebras](https://github.com/sebras))
		- openjp2: Plug memory leak when setting data as TLS fails. [\#1258](uclouvain/openjpeg#1258) ([sebras](https://github.com/sebras))
		- openjp2: Error out if failing to create Tier 1 handle. [\#1256](uclouvain/openjpeg#1256) ([sebras](https://github.com/sebras))
		- Testing for invalid values of width, height, numcomps [\#1254](uclouvain/openjpeg#1254) ([szukw000](https://github.com/szukw000))
		- Single-threaded performance improvements in forward DWT for 5-3 and 9-7 \(and other improvements\) [\#1253](uclouvain/openjpeg#1253) ([rouault](https://github.com/rouault))
		- Add support for multithreading in encoder [\#1248](uclouvain/openjpeg#1248) ([rouault](https://github.com/rouault))
		- Add support for generation of PLT markers in encoder [\#1246](uclouvain/openjpeg#1246) ([rouault](https://github.com/rouault))
		- Fix warnings about signed/unsigned casts in pi.c [\#1244](uclouvain/openjpeg#1244) ([rouault](https://github.com/rouault))
		- opj\_decompress: add sanity checks to avoid segfault in case of decoding error [\#1240](uclouvain/openjpeg#1240) ([rouault](https://github.com/rouault))
		- ignore wrong icc [\#1236](uclouvain/openjpeg#1236) ([szukw000](https://github.com/szukw000))
		- Implement writing of IMF profiles [\#1235](uclouvain/openjpeg#1235) ([rouault](https://github.com/rouault))
		- tests: add alternate checksums for libtiff 4.1 [\#1234](uclouvain/openjpeg#1234) ([rouault](https://github.com/rouault))
		- opj\_tcd\_init\_tile\(\): avoid integer overflow [\#1232](uclouvain/openjpeg#1232) ([rouault](https://github.com/rouault))
		- tests/fuzzers: link fuzz binaries using $LIB\_FUZZING\_ENGINE. [\#1230](uclouvain/openjpeg#1230) ([Dor1s](https://github.com/Dor1s))
		- opj\_j2k\_update\_image\_dimensions\(\): reject images whose coordinates are beyond INT\_MAX \(fixes \#1228\) [\#1229](uclouvain/openjpeg#1229) ([rouault](https://github.com/rouault))
		- Fix resource leaks [\#1226](uclouvain/openjpeg#1226) ([dodys](https://github.com/dodys))
		- abi-check.sh: fix false postive ABI error, and display output error log [\#1218](uclouvain/openjpeg#1218) ([rouault](https://github.com/rouault))
		- pi.c: avoid integer overflow, resulting in later invalid access to memory in opj\_t2\_decode\_packets\(\) [\#1217](uclouvain/openjpeg#1217) ([rouault](https://github.com/rouault))
		- Add check to validate SGcod/SPcoc/SPcod parameter values. [\#1211](uclouvain/openjpeg#1211) ([sebras](https://github.com/sebras))
		- Fix buffer overflow reading an image file less than four characters [\#1196](uclouvain/openjpeg#1196) ([robert-ancell](https://github.com/robert-ancell))
		- compression: emit POC marker when only one single POC is requested \(f… [\#1192](uclouvain/openjpeg#1192) ([rouault](https://github.com/rouault))
		- Fix several potential vulnerabilities  [\#1185](uclouvain/openjpeg#1185) ([Young-X](https://github.com/Young-X))
		- openjp2/j2k: Report error if all wanted components are not decoded. [\#1164](uclouvain/openjpeg#1164) ([sebras](https://github.com/sebras))

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zodf0055980