Multiple issues causing opj_decompress to segfault

[gcode-importer]

Originally reported on Google Code with ID 446

Hello,

During a fuzzing session I discovered 4 different ocassions where opj_decompress would
segfault.

1) An out-of-bounds memory read. I am still in the process of evaluating the security
risk of the bug. The bug appears only if openjpeg is compiled in x86_64 environment.
A CVE has been reserved for this bug.

(gdb) r -i ../../crashes/crash3.jp2 -o test.png
Starting program: /home/lab/Projects/Fuzzing/openjpeg-2.1.0/bin/opj_decompress -i ../../crashes/crash3.jp2
-o test.png
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2"
(CRC mismatch).


[INFO] JP2 IHDR box: compression type indicate that the file is not a conforming JP2
file (0) 

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b97747 in opj_read_bytes_LE (
    p_buffer=0x100619b6a <error: Cannot access memory at address 0x100619b6a>, 
    p_value=0x7fffffffaae8, p_nb_bytes=4)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/cio.c:87
87          *(l_data_ptr--) = *(p_buffer++);

(gdb) bt
#0  0x00007ffff7b97747 in opj_read_bytes_LE (
    p_buffer=0x100619b6a <error: Cannot access memory at address 0x100619b6a>, 
    p_value=0x7fffffffaae8, p_nb_bytes=4)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/cio.c:87
#1  0x00007ffff7bb5319 in opj_jp2_read_boxhdr_char (box=0x7fffffffab30, 
    p_data=0x100619b69 <error: Cannot access memory at address 0x100619b69>, 
    p_number_bytes_read=0x7fffffffab20, p_box_max_size=12, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/jp2.c:2230
#2  0x00007ffff7bb5132 in opj_jp2_read_jp2h (jp2=0x617380, 
    p_header_data=0x100619b69 <error: Cannot access memory at address 0x100619b69>,
p_header_size=12, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/jp2.c:2177
#3  0x00007ffff7bb476e in opj_jp2_read_header_procedure (jp2=0x617380, 
    stream=0x617250, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/jp2.c:1866
#4  0x00007ffff7bb4923 in opj_jp2_exec (jp2=0x617380, 
    p_procedure_list=0x619ad0, stream=0x617250, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/jp2.c:1917
#5  0x00007ffff7bb5568 in opj_jp2_read_header (p_stream=0x617250, 
    jp2=0x617380, p_image=0x7fffffffaca8, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/jp2.c:2299
#6  0x00007ffff7bb8266 in opj_read_header (p_stream=0x617250, 
    p_codec=0x6172d0, p_image=0x7fffffffaca8)
---Type <return> to continue, or q <return> to quit---
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/openjpeg.c:392
#7  0x0000000000404032 in main (argc=5, argv=0x7fffffffde38)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/bin/jp2/opj_decompress.c:801

2) This case causes an abort instead of a segfault

(gdb) r -i ../../crashes/crash26.jp2 -o test.png
[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
(....)
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
[INFO] Header of tile 0 / 0 has been read.
[INFO] Tile 1/1 has been decoded.
opj_decompress: /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/j2k.c:7857:
opj_j2k_update_image_data: Assertion `l_res->x0 >= 0' failed.

Program received signal SIGABRT, Aborted.
0xb7fe1424 in __kernel_vsyscall ()

(gdb) bt
#0  0xb7fe1424 in __kernel_vsyscall ()
#1  0xb7dd9661 in *__GI_raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#2  0xb7ddca92 in *__GI_abort () at abort.c:92
#3  0xb7dd2878 in *__GI___assert_fail (assertion=0xb7fd38b8 "l_res->x0 >= 0", 
    file=0xb7fd1c14 "/root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/j2k.c",
line=7857, function=0xb7fd49ef "opj_j2k_update_image_data")
    at assert.c:81
#4  0xb7fb2c3d in opj_j2k_update_image_data (p_tcd=0x8061850, 
    p_data=0x80d2cc8 "\200", p_output_image=0x80623a8)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/j2k.c:7857
#5  0xb7fb656f in opj_j2k_decode_tiles (p_j2k=0x805c298, p_stream=0x805c170, 
    p_manager=0x805c1e4)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/j2k.c:9242
#6  0xb7fb12c2 in opj_j2k_exec (p_j2k=0x805c298, p_procedure_list=0x805e410, 
    p_stream=0x805c170, p_manager=0x805c1e4)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/j2k.c:7110
#7  0xb7fb6ba9 in opj_j2k_decode (p_j2k=0x805c298, p_stream=0x805c170, 
    p_image=0x8061c68, p_manager=0x805c1e4)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/j2k.c:9426
#8  0xb7fbaf28 in opj_jp2_decode (jp2=0x805c210, p_stream=0x805c170, 
    p_image=0x8061c68, p_manager=0x805c1e4)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/jp2.c:1294
---Type <return> to continue, or q <return> to quit---
#9  0xb7fbf76f in opj_decode (p_codec=0x805c1b8, p_stream=0x805c170, 
    p_image=0x8061c68)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/lib/openjp2/openjpeg.c:413
#10 0x0804ba26 in main (argc=5, argv=0xbffff4f4)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/bin/jp2/opj_decompress.c:821



3) The following error is caused if the contents of the jp2 file end unexpectedly.
It applies to other export formats as well (e.g. output to bmp file also crashes opj_decompress)

(gdb) r -i ../crashes/crash27.jp2 -o test.png
Starting program: /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/bin/opj_decompress -i ../crashes/crash27.jp2
-o test.png

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Stream reached its end !
/root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/bin/jp2/convert.c:3554:sgnd(0,0,0) w(32)
h(32) alpha(0)

Program received signal SIGSEGV, Segmentation fault.
0x08053faf in imagetopng (image=0x8061c90, write_idf=0xbfffe3f0 "test.png")
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/bin/jp2/convert.c:3605
3605                    v = *red + adjustR; ++red;

(gdb) bt
#0  0x08053faf in imagetopng (image=0x8061c90, write_idf=0xbfffe3f0 "test.png")
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/bin/jp2/convert.c:3605
#1  0x0804bf97 in main (argc=5, argv=0xbffff4f4)
    at /root/Fuzzing/openjpeg2000/openjpeg-2.1.0/src/bin/jp2/opj_decompress.c:946


4)

(gdb) r -i ../../crashes/crash11.jp2 -o test.png
Starting program: /home/lab/Projects/Fuzzing/openjpeg-2.1.0/bin/opj_decompress -i ../../crashes/crash11.jp2
-o test.png
warning: the debug information found in "/lib64/ld-2.19.so" does not match "/lib64/ld-linux-x86-64.so.2"
(CRC mismatch).


[INFO] Start to read j2k main header (85).

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36  ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1  0x00007ffff7ba0e8e in j2k_read_ppm_v3 (p_j2k=0x617440, 
    p_header_data=0x618bb9 " by OpenJPEG version 2.1.0\003\a\001\001\a\001\001\a\001\001",
p_header_size=4294967295, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/j2k.c:3644
#2  0x00007ffff7ba8e91 in opj_j2k_read_header_procedure (p_j2k=0x617440, 
    p_stream=0x617250, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/j2k.c:7055
#3  0x00007ffff7ba90ef in opj_j2k_exec (p_j2k=0x617440, 
    p_procedure_list=0x6199d0, p_stream=0x617250, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/j2k.c:7110
#4  0x00007ffff7ba7ec0 in opj_j2k_read_header (p_stream=0x617250, 
    p_j2k=0x617440, p_image=0x7fffffffaca8, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/j2k.c:6642
#5  0x00007ffff7bb558e in opj_jp2_read_header (p_stream=0x617250, 
    jp2=0x617380, p_image=0x7fffffffaca8, p_manager=0x617328)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/jp2.c:2303
#6  0x00007ffff7bb8266 in opj_read_header (p_stream=0x617250, 
    p_codec=0x6172d0, p_image=0x7fffffffaca8)
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/lib/openjp2/openjpeg.c:392
#7  0x0000000000404032 in main (argc=5, argv=0x7fffffffde38)
---Type <return> to continue, or q <return> to quit--- 
    at /home/lab/Projects/Fuzzing/openjpeg-2.1.0/src/bin/jp2/opj_decompress.c:801


I attach the example files named crash1,2,3,4 accordingly. I am still fuzzing the openjpeg
library so other issues may come to light in the following days.

Reported by paris8105 on 2014-12-01 09:53:58

---

- _Attachment: [crash2.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-446/comment-0/crash2.jp2)_ - _Attachment: [crash4.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-446/comment-0/crash4.jp2)_

[gcode-importer]

Hi,

Could you tell what version you're using. I'm guessing tag 2.1.0 but unless you say
so, there will always be a doubt.
Running this against latest trunk (r2948) shows no error when running an instrumented
ASan build on MacOS x86_64.

Reported by mayeut on 2014-12-02 20:12:49

• Labels added: Priority-Critical, Restrict-View-CoreTeam
• Labels removed: Priority-Medium

[gcode-importer]

Sorry for the missing info.Indeed I am using 2.1.All tests were performed in Linux environments.I
ll see if I can reproduce the issues using the latest trunk and report back

Reported by paris8105 on 2014-12-02 20:41:34

[gcode-importer]

I just tested the above Proof of Concept files with the latest trunk. Indeed the errors
seem to be properly handled. The issues are valid for 2.1 though.

Reported by paris8105 on 2014-12-03 09:25:11

[gcode-importer]

Setting this one blocked on Issue 405.
Not closing the issue to test again against updated 2.1 branch once Issue 405 is fixed.

Reported by mayeut on 2014-12-03 20:21:43

• Status changed: Accepted
• Blocked on: Backport bugfixes from trunk to 2.1 branch #405

[mayeut]

@detonin,

this issue was kept open waiting for backports to branch 2.1
I guess branch 2.1 has no real meaning in the repository since master is (should be) API/ABI compliant with 2.1.0
In this case, I suggest that branch 2.1 be deleted & this issue closed (the same comment goes for #405)

[detonin]

Master merged in 2.1. Closing.