Closed
Description
Hi,
This overflow looks similar to #1228 but still works on latest master (b63a433):
$ build_afl/bin/opj_decompress -i ../openjpeg/afl_symcc_5_out/afl-slave/crashes/id:000000,sig:06,sync:symcc,src:002975 -o /tmp/image_verification.pgm
===========================================
The extension of this file is incorrect.
FOUND 2975. SHOULD BE .jp2
===========================================
[INFO] Start to read j2k main header (884).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
=================================================================
==3010==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb19e1f8918 at pc 0x7fb1a258d7e9 bp 0x7ffd68100b90 sp 0x7ffd68100b88
WRITE of size 16 at 0x7fb19e1f8918 thread T0
#0 0x7fb1a258d7e8 in opj_t1_clbl_decode_processor /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/t1.c:1765:73
#1 0x7fb1a2441e05 in opj_thread_pool_submit_job /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/thread.c:835:9
#2 0x7fb1a256f753 in opj_t1_decode_cblks /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/t1.c:1901:21
#3 0x7fb1a263ca3c in opj_tcd_t1_decode /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/tcd.c:1969:9
#4 0x7fb1a263ca3c in opj_tcd_decode_tile /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/tcd.c:1623
#5 0x7fb1a24bfe91 in opj_j2k_decode_tile /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:8932:11
#6 0x7fb1a24fd969 in opj_j2k_decode_tiles /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:10763:15
#7 0x7fb1a24cd165 in opj_j2k_exec /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:8090:33
#8 0x7fb1a24cd165 in opj_j2k_decode /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:11066
#9 0x7fb1a2517dae in opj_jp2_decode /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/jp2.c:1603:11
#10 0x512f27 in main /home/seba/tested_software/openjpeg_patched/src/bin/jp2/opj_decompress.c:1542:19
#11 0x7fb1a20b709a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#12 0x42f719 in _start (/home/seba/tested_software/openjpeg_patched/build_afl/bin/opj_decompress+0x42f719)
0x7fb19e1f8918 is located 0 bytes to the right of 9998616-byte region [0x7fb19d86f800,0x7fb19e1f8918)
allocated by thread T0 here:
#0 0x4dbd99 in __interceptor_posix_memalign (/home/seba/tested_software/openjpeg_patched/build_afl/bin/opj_decompress+0x4dbd99)
#1 0x7fb1a265b9c7 in opj_aligned_alloc_n /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/opj_malloc.c:61:9
#2 0x7fb1a265b9c7 in opj_aligned_malloc /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/opj_malloc.c:209
#3 0x7fb1a263af32 in opj_alloc_tile_component_data /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/tcd.c:694:39
#4 0x7fb1a263af32 in opj_tcd_decode_tile /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/tcd.c:1530
#5 0x7fb1a24bfe91 in opj_j2k_decode_tile /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:8932:11
#6 0x7fb1a24fd969 in opj_j2k_decode_tiles /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:10763:15
#7 0x7fb1a24cd165 in opj_j2k_exec /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:8090:33
#8 0x7fb1a24cd165 in opj_j2k_decode /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/j2k.c:11066
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/seba/tested_software/openjpeg_patched/src/lib/openjp2/t1.c:1765:73 in opj_t1_clbl_decode_processor
Shadow bytes around the buggy address:
0x0ff6b3c370d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6b3c370e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6b3c370f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6b3c37100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6b3c37110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff6b3c37120: 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6b3c37130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6b3c37140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6b3c37150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6b3c37160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6b3c37170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3010==ABORTING
Steps to reproduce as in #1228; the crashing input is available here.
Thank you!
Metadata
Metadata
Assignees
Labels
No labels