Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out-of-Bounds Write issue can occur in function convert_32s_C1P1 (openjpeg-2.1.2/src/bin/jp2/convert.c:153) #872

Closed
chunibalon opened this Issue Dec 7, 2016 · 4 comments

Comments

Projects
None yet
3 participants
@chunibalon
Copy link

chunibalon commented Dec 7, 2016

DESCRIPTION

There is an out-of-bound write issue can occur in function convert_32s_C1P1 (openjpeg-2.1.2/src/bin/jp2/convert.c:153)(Actually, other functions like covert__ will also trigger this problem).
This issue can be caused by a malformed TIFF file.

VERSION

OPENJPEG-2.1.2

Address Sanitizer Output

==126239==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ef51 at pc 0x7ffff6ef6935 bp 0x7fffffff7d30 sp 0x7fffffff74d8
READ of size 128 at 0x60200000ef51 thread T0
#0 0x7ffff6ef6934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x40d325 in convert_32s_C1P1 /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/convert.c:153
#2 0x4466ce in tiftoimage /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/converttif.c:1431
#3 0x40b941 in main /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/opj_compress.c:1739
#4 0x7ffff5df982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x4037f8 in _start (/home/kirito/Desktop/fuzz/openjpeg-2.1.2/build/asan-dbg-bin/tif_crashes/analysis/opj_compress+0x4037f8)

0x60200000ef51 is located 0 bytes to the right of 1-byte region [0x60200000ef50,0x60200000ef51)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x446561 in tiftoimage /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/converttif.c:1406
#2 0x40b941 in main /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/opj_compress.c:1739
#3 0x7ffff5df982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa[01]fa fa fa 00 fa
0x0c047fff9df0: fa fa 00 fa fa fa fd fa fa fa fd fa fa fa 00 00
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==126239==ABORTING

Analysis and PoC

This attachment includes poc and analysis document.
poc2+analysis2f.zip

Author

name: bobb, chunibalon of VARAS@IIE
email: xiangxb2112@gmail.com

@chunibalon chunibalon changed the title out-of-bound write issue can occur in function convert_32s_C1P1 (openjpeg-2.1.2/src/bin/jp2/convert.c:153) Out-of-Bounds Write issue can occur in function convert_32s_C1P1 (openjpeg-2.1.2/src/bin/jp2/convert.c:153) Dec 7, 2016

@szukw000

This comment has been minimized.

Copy link
Contributor

szukw000 commented Dec 8, 2016

@chunibalon,

it may be that I have found the bugs in #871 and #872. The patch is attached.

Can you test it? I have used the openjp2 library from Dec 07 2016.

winfried
converttif.c.dif.zip

@chunibalon

This comment has been minimized.

Copy link
Author

chunibalon commented Dec 9, 2016

@szukw000
Hello, I have tested this patch and it works. But the line 116 should be 109 in your diff file ,otherwise, there is a syntax error. It may be a clerical error.
Thanks for your work.

@szukw000

This comment has been minimized.

Copy link
Contributor

szukw000 commented Dec 9, 2016

@chunibalon,
you are right.

So I do send a patch - but without this error.

winfried

@rouault

This comment has been minimized.

Copy link
Collaborator

rouault commented Aug 9, 2017

Has been fixed by #895

@rouault rouault closed this Aug 9, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.