Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2016-10506] division-by-zero in function opj_pi_next_rpcl of pi.c (line 366) #780

Closed
trylab opened this issue May 6, 2016 · 2 comments
Closed

[CVE-2016-10506] division-by-zero in function opj_pi_next_rpcl of pi.c (line 366) #780

trylab opened this issue May 6, 2016 · 2 comments
Labels
bug Priority-Critical
Milestone
OPJ v2.1.3

Comments

@trylab
Copy link
Contributor

trylab commented May 6, 2016

Title

division-by-zero in function opj_pi_next_rpcl of pi.c (line 366)

Testing Environment

Ubuntu + OpenJPEG (GitHub master, 2016/05/06)

Exception Information

Program received signal SIGFPE, Arithmetic exception.
0xb69892b1 in opj_pi_next_rpcl (pi=0xb3a03ec0) at 
    /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/pi.c:366
366 if (!((pi->x % (OPJ_INT32)(comp->dx << rpx) == 0) || 
        ((pi->x == pi->tx0) && ((trx0 << levelno) % (1 << rpx))))){

PoC

https://raw.githubusercontent.com/trylab/PoCs/master/openjpeg/SIGFPE_opj_pi_next_rpcl@366/poc.j2k

Credit

Ke Liu of Tencent's Xuanwu LAB
@szukw000
Copy link
Contributor

szukw000 commented May 9, 2016

bin/opj_decompress -i /tmp/ISSUE-780/issue780-poc.j2k -o issue780-poc.j2k.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Stream reached its end !
[INFO] Header of tile 6 / 64 has been read.
Floating point exception

NAME(/tmp/ISSUE-780/issue780-poc.j2k)
LENG(568)

ENTER read_jp2c
[0]marker(0xff4f)
soc len(0)
[2]marker(0xff51)
siz len(47)
capabilities(0)[extended: 0]
x(0 : 64) y(0 : 64)
xt(0 : 64) yt(0 : 1)
IMAGE w(64) h(64) TILE w(64) h(1)

----------------------

Tested with openjpeg-master-2016-05-09.

winfried

@malaterre malaterre added this to the OPJ v2.1.2 milestone Sep 20, 2016
@trylab trylab mentioned this issue Sep 21, 2016
Closed
@detonin detonin modified the milestones: OPJ v2.1.2, OPJ v2.1.3 Sep 29, 2016
@rouault
Copy link
Collaborator

rouault commented Jul 26, 2017

Fixed per d27ccf0

@rouault rouault closed this as completed Jul 26, 2017
@trylab trylab changed the title division-by-zero in function opj_pi_next_rpcl of pi.c (line 366) [CVE-2016-10506] division-by-zero in function opj_pi_next_rpcl of pi.c (line 366) Aug 30, 2017
@YangY-Xiao YangY-Xiao mentioned this issue Jul 17, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Priority-Critical
Projects
None yet
Milestone
OPJ v2.1.3
Development

No branches or pull requests
6 participants
@malaterre @detonin @rouault @szukw000 @mayeut @trylab