[CVE-2016-10505] Null Pointer Access in function sycc422_to_rgb of color.c

[trylab]

Title

Null Pointer Access in function sycc422_to_rgb of color.c

Testing Environment

Ubuntu + OpenJPEG (GitHub master, 2016/06/28)

Exception Information

==3793==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x08164302 bp 0xb4e00770 sp 0xbffd6da0 T0)
    #0 0x8164301 in sycc422_to_rgb ~/Desktop/repo/openjpeg-master/src/bin/common/color.c:169:29
    #1 0x8164301 in color_sycc_to_rgb ~/Desktop/repo/openjpeg-master/src/bin/common/color.c:336
    #2 0x8137a25 in main ~/Desktop/repo/openjpeg-master/src/bin/jp2/opj_decompress.c:1375:4
    #3 0xb7402a82 in __libc_start_main /build/eglibc-617sU_/eglibc-2.19/csu/libc-start.c:287
    #4 0x8077e6b in _start (~/Desktop/repo/openjpeg-master/bin/opj_decompress+0x8077e6b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ~/Desktop/repo/openjpeg-master/src/bin/common/color.c:169 sycc422_to_rgb
==3793==ABORTING

PoC

https://raw.githubusercontent.com/trylab/PoCs/master/openjpeg/SIGSEGV_Null-Pointer-Access_sycc422_to_rgb/sycc422_to_rgb.j2k

Credit

Ke Liu of Tencent's Xuanwu LAB

[szukw000]

Another buggy image created with OpenJPEG.

winfried

sycc422_to_rgb-j2k.txt

[boxerab]

Yes, TSOT marker is at the end of the file, so there is no actual tile data.

[mayeut]

Seems to be the same root cause for #785, #784 & #776

[boxerab]

Solution is to return error if no image data is actually decoded

[rouault]

No longer reproducible with master

$ bin/opj_decompress -i ../sycc422_to_rgb.j2k   -o out.j2k.pgx

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
ERROR -> opj_decompress: no image data!