Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double free in j2k_read_ppm_v3 parsing ((presumably invalid) image. #496

Closed
gcode-importer opened this issue May 28, 2015 · 3 comments
Closed

Double free in j2k_read_ppm_v3 parsing ((presumably invalid) image. #496

gcode-importer opened this issue May 28, 2015 · 3 comments
Labels
bug Priority-Critical
Milestone
OPJ v2.1.1

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 496

Hi. I thought I'd reported this but don't appear to have, so apologies if this is a
duplicate. There's a double-free in j2k_read_ppm_v3 when trying to decode the attached
fuzzer-produced file. It calls realloc() with a zero size and on Linux with glibc,
that causes realloc to free the buffer and return NULL. The code in j2k_read_ppm_v3
then interprets this as realloc failing because it couldn't allocate any memory and
tries to free the buffer again, causing a crash. It's not exploitable for anything
beyond that but could be a little annoying.

Tested with svn r3004 on Linux x86-64:

==12952== Command: bin/opj_decompress -i openjpeg-svn-id000023svn-double-free-j2k_read_ppm_v3.jp2
-o test.raw
==12952== 

[INFO] Start to read j2k main header (85).
==12952== Invalid free() / delete / delete[] / realloc()
==12952==    at 0x4C2D53B: free (vg_replace_malloc.c:473)
==12952==    by 0x4E4A53B: j2k_read_ppm_v3 (j2k.c:3759)
==12952==    by 0x4E4B119: opj_j2k_read_header_procedure (j2k.c:7250)
==12952==    by 0x4E48588: opj_j2k_exec (j2k.c:7318)
==12952==    by 0x4E4CD98: opj_j2k_read_header (j2k.c:6813)
==12952==    by 0x10B71A: main (opj_decompress.c:1253)
==12952==  Address 0x65e1b80 is 0 bytes after a block of size 0 free'd
==12952==    at 0x4C2D53B: free (vg_replace_malloc.c:473)
==12952==    by 0x4C2E799: realloc (vg_replace_malloc.c:692)
==12952==    by 0x4E4A2C1: j2k_read_ppm_v3 (j2k.c:3733)
==12952==    by 0x4E4B119: opj_j2k_read_header_procedure (j2k.c:7250)
==12952==    by 0x4E48588: opj_j2k_exec (j2k.c:7318)
==12952==    by 0x4E4CD98: opj_j2k_read_header (j2k.c:6813)
==12952==    by 0x10B71A: main (opj_decompress.c:1253)

Reported by makosoft on 2015-05-28 21:45:00

- _Attachment: [openjpeg-svn-id000023svn-double-free-j2k_read_ppm_v3.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-496/comment-0/openjpeg-svn-id000023svn-double-free-j2k_read_ppm_v3.jp2)_
@gcode-importer
Copy link
Author

Reported by mayeut on 2015-06-01 16:04:46

  • Labels added: Priority-Critical
  • Labels removed: Priority-Medium

@gcode-importer gcode-importer self-assigned this Jun 11, 2015
@szukw000
Copy link
Contributor

makosoft,

the file in question contains the following marker:

[71]marker(0xff64)
com len(37)
R[1](General use %28ISO 8859-1 %28latin-1%29 values%29)
T(Created by OpenJPEG version 2.1.0)

As this file has been created by OPENJPEG there must be an input file for OPJ_COMPRESS.
If you have created this output_file: do you have the original input file?

If yes: can you please upload a link to this input file?

winfried

@mayeut
Copy link
Collaborator

mayeut commented Jul 12, 2015

Will be solved with #470

@mayeut mayeut closed this as completed Jul 26, 2015
@mayeut mayeut added this to the OPJ v2.1.1 milestone Jul 26, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Priority-Critical
Projects
None yet
Milestone
OPJ v2.1.1
Development

No branches or pull requests
3 participants
@szukw000 @mayeut @gcode-importer