Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... #1257

Closed
sebras opened this issue Jun 22, 2020 · 1 comment
Closed

Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... #1257

sebras opened this issue Jun 22, 2020 · 1 comment

Comments

@sebras
Copy link
Contributor

sebras commented Jun 22, 2020

While testing what happens when opj_calloc() returns NULL using a custom allocator in OpenJPEG 2.3.0 I found a memory leak that doesn't seem to have been addressed in OpenJPEG on master.

The relevant part of backtrace for the memory leak is :

    #0 0x55aae2b06223 in opj_calloc
    #1 0x55aae347aad8 in opj_t1_create openjpeg/src/lib/openjp2/t1.c:1541
    #2 0x55aae347b4b8 in opj_t1_clbl_decode_processor openjpeg/src/lib/openjp2/t1.c:1660
    #3 0x55aae340a8f3 in opj_thread_pool_submit_job openjpeg/src/lib/openjp2/thread.c:835
    #4 0x55aae347da25 in opj_t1_decode_cblks openjpeg/src/lib/openjp2/t1.c:1908
    #5 0x55aae3400fa0 in opj_tcd_t1_decode openjpeg/src/lib/openjp2/tcd.c:1985
    #6 0x55aae33fedf4 in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1639
    #7 0x55aae33b82d6 in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8947
    #8 0x55aae33c51f7 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:10735
    #9 0x55aae33b28fd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:8105
    #10 0x55aae33c7dae in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:11081
    #11 0x55aae316517d in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:483

This is the backtrace of where I had opj_realloc() return NULL later causing the leak above:

#0  0x0000555555833281 in opj_realloc (ptr=0x0, size=24) at source/fitz/load-jpx.c:573
#1  0x000055555613663a in opj_tls_set (tls=0x603000004518, key=0, value=0x612000000948, opj_free_func=0x5555561a7cec <opj_t1_destroy_wrapper>) at openjpeg/src/lib/openjp2/thread.c:559
#2  0x00005555561a84de in opj_t1_clbl_decode_processor (user_data=0x608000009228, tls=0x603000004518) at openjpeg/src/lib/openjp2/t1.c:1661
#3  0x00005555561378f4 in opj_thread_pool_submit_job (tp=0x6080000091a8, job_fn=0x5555561a7d07 <opj_t1_clbl_decode_processor>, user_data=0x608000009228) at openjpeg/src/lib/openjp2/thread.c:835
#4  0x00005555561aa944 in opj_t1_decode_cblks (tcd=0x60b000000258, pret=0x7fffffff9820, tilec=0x613000001e08, tccp=0x61f000007088,  p_manager=0x6100000005a8, p_manager_mutex=0x0, check_pterm=0) at openjpeg/src/lib/openjp2/t1.c:1901
#5 0x000055555612dfa1 in opj_tcd_t1_decode (p_tcd=0x60b000000258, p_manager=0x6100000005a8) at openjpeg/src/lib/openjp2/tcd.c:1985
#6 0x000055555612bdf5 in opj_tcd_decode_tile (p_tcd=0x60b000000258, win_x0=0, win_y0=0, win_x1=640, win_y1=480, numcomps_to_decode=0, comps_indices=0x0, p_src=0x7ffff3e9f808 "H\241\343\345\355\213\035\211\031\210ZU\357T0R\355\363Y\376\242\355(X\256\071\177V\003e\276ڬ%\322g\357\032\351\016\244\065\357\254\027ߠcL\223P\366\253L\026\372\r\033\372e\237U\242\210\216\233w {\b\275\377\n\257\306\376\202[\247\v%\243\327\034\200\216n*\210\f\004\026\004:\nE\352il}\236\254\275\356\211\327\346\273\373\210\t\343\031ki\261\220\223Lnoè\234\065\373\003~yd,E\002C\034\223\366E)\313\346@iD\343\027k\244J\350n\331\356<]b\356\253\023\066\262 \357\067\313\336\035i\301(\250\022\006^!w\366J\033\320\016vIN\216\317\316\032\023L`\362\306ȧZ\243\312\305Y"..., p_max_length=259641, p_tile_no=0, p_cstr_index=0x606000007a08, p_manager=0x6100000005a8) at openjpeg/src/lib/openjp2/tcd.c:1639
#7 0x00005555560e52d7 in opj_j2k_decode_tile (p_j2k=0x613000001548, p_tile_index=0, p_data=0x0, p_data_size=0, p_stream=0x60c000008808, p_manager=0x6100000005a8) at openjpeg/src/lib/openjp2/j2k.c:8947
#8 0x00005555560f21f8 in opj_j2k_decode_tiles (p_j2k=0x613000001548, p_stream=0x60c000008808, p_manager=0x6100000005a8) at openjpeg/src/lib/openjp2/j2k.c:10735
#9 0x00005555560df8fe in opj_j2k_exec (p_j2k=0x613000001548, p_procedure_list=0x6030000044e8, p_stream=0x60c000008808, p_manager=0x6100000005a8) at openjpeg/src/lib/openjp2/j2k.c:8105
#10 0x00005555560f4daf in opj_j2k_decode (p_j2k=0x613000001548, p_stream=0x60c000008808, p_image=0x606000007ac8, p_manager=0x6100000005a8) at openjpeg/src/lib/openjp2/j2k.c:11081
#11 0x0000555555e9217e in opj_decode (p_codec=0x610000000548,  p_stream=0x60c000008808, p_image=0x606000007ac8) at openjpeg/src/lib/openjp2/openjpeg.c:483

Looking at the source code it is obvious that the return code of opj_tls_set() is never checked, hence the code can't know it should free the t1 handle and return an error code.
sebras added a commit to sebras/openjpeg that referenced this issue Jun 22, 2020
@sebras
openjp2: Plug memory leak when setting data as TLS fails.
14fc5b6 
Previously the Tier 1 handle was not freed when setting it as
TLS failed.

This fixes issue uclouvain#1257.
@sebras sebras mentioned this issue Jun 22, 2020
Merged
sebras added a commit to sebras/openjpeg that referenced this issue Jun 22, 2020
@sebras
openjp2: Plug memory leak when setting data as TLS fails.
79b199a 
Previously the Tier 1 handle was not freed when setting it as
TLS failed.

This fixes issue uclouvain#1257.
@rouault rouault closed this as completed Nov 12, 2020
DanielHeath pushed a commit to radiopaedia/openjpeg that referenced this issue Sep 21, 2021
@sebras @DanielHeath
openjp2: Plug memory leak when setting data as TLS fails.
776cd50 
Previously the Tier 1 handle was not freed when setting it as
TLS failed.

This fixes issue uclouvain#1257.
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this issue Apr 29, 2022
@pmu-ipf
openjpeg: Update to version 2.4.0
ca98d29 
- Update from version 2.3.1 to 2.4.0
- Update of rootfile
- Changelog
    2.4.0
	**Closed issues:**
		- OPENJPEG\_INSTALL\_DOC\_DIR does not control a destination directory where HTML docs would be installed. [\#1309](uclouvain/openjpeg#1309)
		- Heap-buffer-overflow in lib/openjp2/pi.c:312 [\#1302](uclouvain/openjpeg#1302)
		- Heap-buffer-overflow in lib/openjp2/t2.c:973 [\#1299](uclouvain/openjpeg#1299)
		- Heap-buffer-overflow in lib/openjp2/pi.c:623 [\#1293](uclouvain/openjpeg#1293)
		- Global-buffer-overflow in lib/openjp2/dwt.c:1980 [\#1286](uclouvain/openjpeg#1286)
		- Heap-buffer-overflow in lib/openjp2/tcd.c:2417 [\#1284](uclouvain/openjpeg#1284)
		- Heap-buffer-overflow in lib/openjp2/mqc.c:499 [\#1283](uclouvain/openjpeg#1283)
		- Openjpeg could not encode 32bit RGB float image [\#1281](uclouvain/openjpeg#1281)
		- Openjpeg could not encode 32bit RGB float image [\#1280](uclouvain/openjpeg#1280)
		- ISO/IEC 15444-1:2019 \(E\) compared with 'cio.h' [\#1277](uclouvain/openjpeg#1277)
		- Test-suite failure due to hash mismatch [\#1264](uclouvain/openjpeg#1264)
		- Heap use-after-free [\#1261](uclouvain/openjpeg#1261)
		- Memory leak when failing to allocate object... [\#1259](uclouvain/openjpeg#1259)
		- Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... [\#1257](uclouvain/openjpeg#1257)
		- Any plan to build release for CVE-2020-8112/CVE-2020-6851 [\#1247](uclouvain/openjpeg#1247)
		- failing to convert 16-bit file: opj\_t2\_encode\_packet\(\): only 5251 bytes remaining in output buffer. 5621 needed. [\#1243](uclouvain/openjpeg#1243)
		- CMake+VS2017 Compile OK, thirdparty Compile OK, but thirdparty not install [\#1239](uclouvain/openjpeg#1239)
		- New release to solve CVE-2019-6988 ? [\#1238](uclouvain/openjpeg#1238)
		- Many tests fail to pass after the update of libtiff to version 4.1.0 [\#1233](uclouvain/openjpeg#1233)
		- Another heap buffer overflow in libopenjp2 [\#1231](uclouvain/openjpeg#1231)
		- Heap buffer overflow in libopenjp2 [\#1228](uclouvain/openjpeg#1228)
		- Endianness of binary volume \(JP3D\) [\#1224](uclouvain/openjpeg#1224)
		- New release to resolve CVE-2019-12973 [\#1222](uclouvain/openjpeg#1222)
		- how to set the block size,like 128,256 ? [\#1216](uclouvain/openjpeg#1216)
		- compress YUV files to motion jpeg2000 standard [\#1213](uclouvain/openjpeg#1213)
		- Repair/update Java wrapper, and include in release [\#1208](uclouvain/openjpeg#1208)
		- abc [\#1206](uclouvain/openjpeg#1206)
		- Slow decoding [\#1202](uclouvain/openjpeg#1202)
		- Installation question [\#1201](uclouvain/openjpeg#1201)
		- Typo in test\_decode\_area - \*ptilew is assigned instead of \*ptileh [\#1195](uclouvain/openjpeg#1195)
		- Creating a J2K file with one POC is broken [\#1191](uclouvain/openjpeg#1191)
		- Make fails on Arch Linux [\#1174](uclouvain/openjpeg#1174)
		- Heap buffer overflow in opj\_t1\_clbl\_decode\_processor\(\) triggered with Ghostscript [\#1158](uclouvain/openjpeg#1158)
		- opj\_stream\_get\_number\_byte\_left: Assertion `p\_stream-\>m\_byte\_offset \>= 0' failed. [\#1151](uclouvain/openjpeg#1151)
		- The fuzzer ignores too many inputs [\#1079](uclouvain/openjpeg#1079)
		- out of bounds read [\#1068](uclouvain/openjpeg#1068)
	**Merged pull requests:**
		- Change defined WIN32 [\#1310](uclouvain/openjpeg#1310) ([Jamaika1](https://github.com/Jamaika1))
		- docs: fix simple typo, producted -\> produced [\#1308](uclouvain/openjpeg#1308) ([timgates42](https://github.com/timgates42))
		- Set ${OPENJPEG\_INSTALL\_DOC\_DIR} to DESTINATION of HTMLs [\#1307](uclouvain/openjpeg#1307) ([lemniscati](https://github.com/lemniscati))
		- Use INC\_DIR for OPENJPEG\_INCLUDE\_DIRS \(fixes uclouvain\#1174\) [\#1306](uclouvain/openjpeg#1306) ([matthew-sharp](https://github.com/matthew-sharp))
		- pi.c: avoid out of bounds access with POC \(fixes \#1302\) [\#1304](uclouvain/openjpeg#1304) ([rouault](https://github.com/rouault))
		- Encoder: grow again buffer size [\#1303](uclouvain/openjpeg#1303) ([zodf0055980](https://github.com/zodf0055980))
		- opj\_j2k\_write\_sod\(\): avoid potential heap buffer overflow \(fixes \#1299\) \(probably master only\) [\#1301](uclouvain/openjpeg#1301) ([rouault](https://github.com/rouault))
		- pi.c: avoid out of bounds access with POC \(refs uclouvain/openjpeg#1293) [\#1300](uclouvain/openjpeg#1300) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1297, but likely not the proper fix [\#1298](uclouvain/openjpeg#1298) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1294, but likely not the proper fix [\#1296](uclouvain/openjpeg#1296) ([rouault](https://github.com/rouault))
		- opj\_j2k\_setup\_encoder\(\): validate POC compno0 and compno1 \(fixes \#1293\) [\#1295](uclouvain/openjpeg#1295) ([rouault](https://github.com/rouault))
		- Encoder: avoid global buffer overflow on irreversible conversion when… [\#1292](uclouvain/openjpeg#1292) ([rouault](https://github.com/rouault))
		- Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC [\#1291](uclouvain/openjpeg#1291) ([rouault](https://github.com/rouault))
		- Free p\_tcd\_marker\_info to avoid memory leak [\#1288](uclouvain/openjpeg#1288) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: grow again buffer size [\#1287](uclouvain/openjpeg#1287) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: avoid uint32 overflow when allocating memory for codestream buffer \(fixes \#1243\) [\#1276](uclouvain/openjpeg#1276) ([rouault](https://github.com/rouault))
		- Java compatibility from 1.5 to 1.6 [\#1263](uclouvain/openjpeg#1263) ([jiapei100](https://github.com/jiapei100))
		- opj\_decompress: fix double-free on input directory with mix of valid and invalid images [\#1262](uclouvain/openjpeg#1262) ([rouault](https://github.com/rouault))
		- openjp2: Plug image leak when failing to allocate codestream index. [\#1260](uclouvain/openjpeg#1260) ([sebras](https://github.com/sebras))
		- openjp2: Plug memory leak when setting data as TLS fails. [\#1258](uclouvain/openjpeg#1258) ([sebras](https://github.com/sebras))
		- openjp2: Error out if failing to create Tier 1 handle. [\#1256](uclouvain/openjpeg#1256) ([sebras](https://github.com/sebras))
		- Testing for invalid values of width, height, numcomps [\#1254](uclouvain/openjpeg#1254) ([szukw000](https://github.com/szukw000))
		- Single-threaded performance improvements in forward DWT for 5-3 and 9-7 \(and other improvements\) [\#1253](uclouvain/openjpeg#1253) ([rouault](https://github.com/rouault))
		- Add support for multithreading in encoder [\#1248](uclouvain/openjpeg#1248) ([rouault](https://github.com/rouault))
		- Add support for generation of PLT markers in encoder [\#1246](uclouvain/openjpeg#1246) ([rouault](https://github.com/rouault))
		- Fix warnings about signed/unsigned casts in pi.c [\#1244](uclouvain/openjpeg#1244) ([rouault](https://github.com/rouault))
		- opj\_decompress: add sanity checks to avoid segfault in case of decoding error [\#1240](uclouvain/openjpeg#1240) ([rouault](https://github.com/rouault))
		- ignore wrong icc [\#1236](uclouvain/openjpeg#1236) ([szukw000](https://github.com/szukw000))
		- Implement writing of IMF profiles [\#1235](uclouvain/openjpeg#1235) ([rouault](https://github.com/rouault))
		- tests: add alternate checksums for libtiff 4.1 [\#1234](uclouvain/openjpeg#1234) ([rouault](https://github.com/rouault))
		- opj\_tcd\_init\_tile\(\): avoid integer overflow [\#1232](uclouvain/openjpeg#1232) ([rouault](https://github.com/rouault))
		- tests/fuzzers: link fuzz binaries using $LIB\_FUZZING\_ENGINE. [\#1230](uclouvain/openjpeg#1230) ([Dor1s](https://github.com/Dor1s))
		- opj\_j2k\_update\_image\_dimensions\(\): reject images whose coordinates are beyond INT\_MAX \(fixes \#1228\) [\#1229](uclouvain/openjpeg#1229) ([rouault](https://github.com/rouault))
		- Fix resource leaks [\#1226](uclouvain/openjpeg#1226) ([dodys](https://github.com/dodys))
		- abi-check.sh: fix false postive ABI error, and display output error log [\#1218](uclouvain/openjpeg#1218) ([rouault](https://github.com/rouault))
		- pi.c: avoid integer overflow, resulting in later invalid access to memory in opj\_t2\_decode\_packets\(\) [\#1217](uclouvain/openjpeg#1217) ([rouault](https://github.com/rouault))
		- Add check to validate SGcod/SPcoc/SPcod parameter values. [\#1211](uclouvain/openjpeg#1211) ([sebras](https://github.com/sebras))
		- Fix buffer overflow reading an image file less than four characters [\#1196](uclouvain/openjpeg#1196) ([robert-ancell](https://github.com/robert-ancell))
		- compression: emit POC marker when only one single POC is requested \(f… [\#1192](uclouvain/openjpeg#1192) ([rouault](https://github.com/rouault))
		- Fix several potential vulnerabilities  [\#1185](uclouvain/openjpeg#1185) ([Young-X](https://github.com/Young-X))
		- openjp2/j2k: Report error if all wanted components are not decoded. [\#1164](uclouvain/openjpeg#1164) ([sebras](https://github.com/sebras))

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sebras @rouault and others