Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encoder: issue in lib/openjp2/tgt.c when small precincts size, -TP C and non (0,0) grid offset #1294

Open
zodf0055980 opened this issue Dec 1, 2020 · 3 comments
Open

Encoder: issue in lib/openjp2/tgt.c when small precincts size, -TP C and non (0,0) grid offset #1294

zodf0055980 opened this issue Dec 1, 2020 · 3 comments

Comments

@zodf0055980
Copy link
Contributor

I found a NULL dereference in the current master (61ff143).
I build openjpeg with ASAN, this is ASAN report.
POC picture :
sample

➜  ~/openjpeg/build/bin/opj_compress -o ./a.j2k -i ./sample.png -c \[32,32\],\[32,32\] -TP C -d 50,50 

[INFO] tile number 1 / 1
ASAN:DEADLYSIGNAL
=================================================================
==18479==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc7885e58d7 bp 0x000000000000 sp 0x7ffccfc34870 T0)
==18479==The signal is caused by a READ memory access.
==18479==Hint: address points to the zero page.
    #0 0x7fc7885e58d6 in opj_tgt_reset /home/yuan/afl-target/openjpeg/src/lib/openjp2/tgt.c:247
    #1 0x7fc7885b01ef in opj_t2_encode_packet /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:743
    #2 0x7fc7885b9db6 in opj_t2_encode_packets /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:332
    #3 0x7fc7885dd9ee in opj_tcd_t2_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:2562
    #4 0x7fc7885dd9ee in opj_tcd_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1465
    #5 0x7fc7884b766d in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:4813
    #6 0x7fc7884b766d in opj_j2k_write_first_tile_part /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12640
    #7 0x7fc7884b766d in opj_j2k_post_write_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12396
    #8 0x7fc7884ef8dd in opj_j2k_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12145
    #9 0x5569a86d6b75 in main /home/yuan/afl-target/openjpeg/src/bin/jp2/opj_compress.c:2206
    #10 0x7fc787604bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x5569a86dbd69 in _start (/home/yuan/afl-target/openjpeg/build/bin/opj_compress+0x1ad69)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/afl-target/openjpeg/src/lib/openjp2/tgt.c:247 in opj_tgt_reset
==18479==ABORTING
rouault added a commit to rouault/openjpeg that referenced this issue Dec 1, 2020
@rouault
opj_t2_encode_packet(): avoid out of bound access of uclouvain#1294, …
fbd30b0 
…but likely not the proper fix
rouault added a commit that referenced this issue Dec 2, 2020
@rouault
Merge pull request #1296 from rouault/workaround_1294
630b485 
opj_t2_encode_packet(): avoid out of bound access of #1294, but likely not the proper fix
@rouault
Copy link
Collaborator

rouault commented Dec 2, 2020

With the fix done in fbd30b0, this now returns in "clean" error

[INFO] tile number 1 / 1
[ERROR] opj_t2_encode_packet(): accessing precno=1 >= 1
[ERROR] Cannot encode tile
failed to encode image: opj_encode
failed to encode image: opj_end_compress
failed to encode image

@rouault rouault changed the title NULL dereference in lib/openjp2/tgt.c:247 Encoder: issue in lib/openjp2/tgt.c when small precincts size, -TP C and non (0,0) grid offset Dec 2, 2020
@zodf0055980
Copy link
Contributor Author

CVE-2020-27842 was assigned for this issue.

@carnil
Copy link

carnil commented Feb 28, 2021
edited
Loading

@rouault

With the fix done in fbd30b0, this now returns in "clean" error

[INFO] tile number 1 / 1
[ERROR] opj_t2_encode_packet(): accessing precno=1 >= 1
[ERROR] Cannot encode tile
failed to encode image: opj_encode
failed to encode image: opj_end_compress
failed to encode image

so this means the issue is considered to be closed with that change?

edit: okay no the comment clearly says that this is unlikely to be the proper fix.

@carnil carnil mentioned this issue Feb 28, 2021
Open
DanielHeath pushed a commit to radiopaedia/openjpeg that referenced this issue Sep 21, 2021
@rouault @DanielHeath
opj_t2_encode_packet(): avoid out of bound access of uclouvain#1294, …
295aba1 
…but likely not the proper fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @rouault @zodf0055980