Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bound read in opj_j2k_add_mct #907

Closed
Miladbr opened this issue Mar 28, 2017 · 1 comment
Closed

Out of bound read in opj_j2k_add_mct #907

Miladbr opened this issue Mar 28, 2017 · 1 comment
Labels
bug

Comments

@Miladbr
Copy link

Miladbr commented Mar 28, 2017

Out of bound read in opj_j2k_add_mct (openjpeg/src/lib/openjp2/j2k.c:5777) cause a segfault.

$ ./build/bin/opj_dump -i ~/crashes/1 -o /dev/null 

===========================================
The extension of this file is incorrect.
FOUND _mct. SHOULD BE .j2k or .jpc or .j2c
===========================================

[INFO] Start to read j2k main header (0).
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge multiple MCT markers
[WARNING] Cannot take in charge collections with indix shuffle
[1]    19813 segmentation fault  ./build/bin/opj_dump -i ~/crashes/1 -o /dev/null

gdb-peda$ list
5772	        }
5773	
5774	        l_deco_array = l_mcc_record->m_decorrelation_array;
5775	
5776	        if (l_deco_array) {
5777	                l_data_size = MCT_ELEMENT_SIZE[l_deco_array->m_element_type] * p_image->numcomps * p_image->numcomps;
5778	                if (l_deco_array->m_data_size != l_data_size) {
5779	                        return OPJ_FALSE;
5780	                }
5781	

gdb-peda$ p MCT_ELEMENT_SIZE[l_deco_array->m_element_type]
Cannot access memory at address 0x3dbb1cab0

Backtrace:

gdb-peda$ bt
#0  0x000000000044cf2a in opj_j2k_add_mct (p_image=0x6d8c80, p_tcp=<optimized out>, p_index=<optimized out>)
    at /home/mbr/fuzzing/pkg-source/openjpeg/src/lib/openjp2/j2k.c:5777
#1  opj_j2k_read_mco (p_j2k=<optimized out>, p_header_data=<optimized out>, p_header_size=<optimized out>, p_manager=<optimized out>)
    at /home/mbr/fuzzing/pkg-source/openjpeg/src/lib/openjp2/j2k.c:5735
#2  0x00000000004449bd in opj_j2k_read_header_procedure (p_j2k=<optimized out>, p_stream=<optimized out>, p_manager=<optimized out>)
    at /home/mbr/fuzzing/pkg-source/openjpeg/src/lib/openjp2/j2k.c:7321
#3  0x000000000043885f in opj_j2k_exec (p_j2k=0x6d65c0, p_procedure_list=<optimized out>, p_stream=0x6d5470, p_manager=0x6d6558)
    at /home/mbr/fuzzing/pkg-source/openjpeg/src/lib/openjp2/j2k.c:7394
#4  opj_j2k_read_header (p_stream=<optimized out>, p_j2k=<optimized out>, p_image=<optimized out>, p_manager=<optimized out>)
    at /home/mbr/fuzzing/pkg-source/openjpeg/src/lib/openjp2/j2k.c:6872
#5  0x0000000000431a1b in opj_read_header (p_stream=0x6d8c80, p_codec=0x0, p_image=0x6c4d80 <__afl_area_initial>)
    at /home/mbr/fuzzing/pkg-source/openjpeg/src/lib/openjp2/openjpeg.c:409
#6  0x0000000000407a01 in main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffe458)
    at /home/mbr/fuzzing/pkg-source/openjpeg/src/bin/jp2/opj_dump.c:564
#7  0x00007ffff69f6830 in __libc_start_main (main=0x406a00 <main>, argc=0x5, argv=0x7fffffffe458, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe448) at ../csu/libc-start.c:291
#8  0x0000000000406929 in _start ()

PoC:

https://github.com/Miladbr/public-poc/blob/master/openjpeg/1
@rouault
Copy link
Collaborator

rouault commented Jul 29, 2017

Cannot reproduce with current master. I believe this was fixed per c5bf5ef

@rouault rouault closed this as completed Jul 29, 2017
@detonin detonin added the bug label Aug 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@detonin @rouault @Miladbr