Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c and src/lib/openjp3d/t2.c #1272

Closed
ycdxsb opened this issue Aug 30, 2020 · 1 comment
Closed

Potential heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c and src/lib/openjp3d/t2.c #1272

ycdxsb opened this issue Aug 30, 2020 · 1 comment
Labels
removed_components Issues that affect MJ2, JPWL or JP3D wontfix

Comments

@ycdxsb
Copy link

ycdxsb commented Aug 30, 2020

There are four missing checks for length in function t2_encode_packet in src/lib/openmj2/t2.c and src/lib/openjp3d/t2.c

Case1 & Case2:in function t2_encode_packet in file src/lib/openmj2/t2.c . Note that case 1 and case 2 have been submitted in #1127 but not patched in the latest version.

167    /* <SOP 0xff91> */
168    if (tcp->csty & J2K_CP_CSTY_SOP) {
169        c[0] = 255;
170        c[1] = 145;
171        c[2] = 0;
172        c[3] = 4;
173        c[4] = (unsigned char)((tile->packno % 65536) / 256);
174        c[5] = (unsigned char)((tile->packno % 65536) % 256);
175        c += 6;
176    }
177    /* </SOP> */

...

273    /* <EPH 0xff92> */
274    if (tcp->csty & J2K_CP_CSTY_EPH) {
275        c[0] = 255;
276        c[1] = 146;
277        c += 2;
278    }
279    /* </EPH> */

Case 3 & Case4:in function t2_encode_packet in file src/lib/openjp3d/t2.c .

163	    /* <SOP 0xff91> */
164	    if ((tcp->csty & J3D_CP_CSTY_SOP)) {
165	        sop = (unsigned char *) opj_malloc(6 * sizeof(unsigned char));
166	        sop[0] = 255;
167	        sop[1] = 145;
168	        sop[2] = 0;
169	        sop[3] = 4;
170	        sop[4] = (volume_info) ? (volume_info->num % 65536) / 256 : (0 % 65536) / 256 ;
171	        sop[5] = (volume_info) ? (volume_info->num % 65536) % 256 : (0 % 65536) % 256 ;
172	        memcpy(c, sop, 6);
173	        opj_free(sop);
174	        c += 6;
175	    }
176	    /* </SOP> */

...

279	    /* <EPH 0xff92> */
280	    if (tcp->csty & J3D_CP_CSTY_EPH) {
281	        eph = (unsigned char *) opj_malloc(2 * sizeof(unsigned char));
282	        eph[0] = 255;
283	        eph[1] = 146;
284	        memcpy(c, eph, 2);
285	        opj_free(eph);
286	        c += 2;
287	    }
288	    /* </EPH> */
@rouault rouault added removed_components Issues that affect MJ2, JPWL or JP3D wontfix labels May 6, 2021
@rouault
Copy link
Collaborator

rouault commented May 6, 2021

Issue no longer relevant since #1350

@rouault rouault closed this as completed May 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
removed_components Issues that affect MJ2, JPWL or JP3D wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rouault @ycdxsb