Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Excessive Iteration in opj_t1_encode_cblks (src/lib/openjp2/t1.c) #1059
On the latest version (2.3.0) and master branch of openjpeg,
Note that processing the POC of only 144 bytes could cost openjpeg more than 15 minutes. We found, in the code, the program is stuck in a 5-level "for" loops of opj_t1_encode_cblks function. The terminating variables of these loops could be manipulated by the input file. Although the variables are quite reasonable (with prc->cw * prc->ch=512, res->pw * res->ph=501) and the actual number of blocks are well under the declared count (i.e., 512), the program gives no response for a long time and it causes denial of service. This issue is different from #996, which has been fixed in commit 5597522.
2105 OPJ_BOOL opj_t1_encode_cblks(opj_t1_t t1,
To reproduce the issue, run: ./opj_compress -n 1 -i $POC -o /tmp/null.j2k
This is most likely a small stack overflow due to the bmp file maliciously advertising a wrong, very large width.
This can usually be fixed by comparing actual and advertised size after reading the file, e.g.
I'll take a closer look later and PR a patch once ready.