Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap buffer overflow read in openjpeg imagetopnm #970

Closed
Javantea opened this issue Jul 15, 2017 · 1 comment
Closed

Heap buffer overflow read in openjpeg imagetopnm #970

Javantea opened this issue Jul 15, 2017 · 1 comment
Labels
bug

Comments

@Javantea
Copy link

During fuzzing valgrind found a heap buffer overflow read.

On line 1885 of openjpeg-2.1.2/src/bin/jp2/convert.c
imagetopnm:
v = *alpha++;

On line 8231 of openjpeg-2.1.2/src/lib/openjp2/j2k.c
opj_j2k_update_image_data:
l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(l_width * l_height, sizeof(OPJ_INT32));

l_width is taken from l_img_comp_dest->w. This is not the same value used in imagetopnm to read the components.
As you can see in imagetopnm, width and height of the first field is used.
wr = (int)image->comps[0].w; hr = (int)image->comps[0].h;

valgrind -v opj_decompress -i crashers/jp2/fuzzfile0kqh22_c.jp2 -o crashers/jp2/fuzzfile0kqh22_c.jp2.ppm
...
[INFO] Generated Outfile crashers/jp2/fuzzfile0kqh22_c.jp2.ppm
decode time: 101 ms
==22774== 
==22774== HEAP SUMMARY:
==22774==     in use at exit: 0 bytes in 0 blocks
==22774==   total heap usage: 116 allocs, 116 frees, 1,139,582 bytes allocated
==22774== 
==22774== All heap blocks were freed -- no leaks are possible
==22774== 
==22774== ERROR SUMMARY: 90 errors from 1 contexts (suppressed: 0 from 0)
==22774== 
==22774== 90 errors in context 1 of 1:
==22774== Invalid read of size 4
==22774==    at 0x409BF9: imagetopnm (convert.c:1885)
==22774==    by 0x404377: main (opj_decompress.c:1467)
==22774==  Address 0x67eba88 is 0 bytes after a block of size 40 alloc'd
==22774==    at 0x4C2CF25: calloc (vg_replace_malloc.c:711)
==22774==    by 0x4E45C6F: opj_j2k_update_image_data.isra.7 (j2k.c:8231)
==22774==    by 0x4E4C472: opj_j2k_decode_tiles (j2k.c:9778)
==22774==    by 0x4E44A33: opj_j2k_exec (j2k.c:7354)
==22774==    by 0x4E4DBF6: opj_j2k_decode (j2k.c:9969)
==22774==    by 0x4E517B3: opj_jp2_decode (jp2.c:1502)
==22774==    by 0x403723: main (opj_decompress.c:1332)
==22774== 
==22774== ERROR SUMMARY: 90 errors from 1 contexts (suppressed: 0 from 0)

The fuzzer that found this issue is open source and available here along with the file that caused the issue:
https://www.altsci.com/jrsfuzz/

This file doesn't affect opj_decompress when converting to png, bmp, raw, and pgm because they either parse the file correctly or they error:
[ERROR] Error generating png file. Outfile crashers/jp2/fuzzfile0kqh22_c.jp2.png not generated
@szukw000
Copy link
Contributor

@Javantea ,
the library should ignore this image:

[2]marker(0xff51)
read_siz len(50)
capabilities(0)[extended: 0]
x(0 : 10) y(0 : 10)
xt(0 : 10) yt(0 : 10)
IMAGE w(10) h(10) TILE w(10) h(10)
nr_components(4)
component[0] signed(0) prec(8) hsep(1) vsep(1)
component[1] signed(0) prec(8) hsep(1) vsep(1)
component[2] signed(0) prec(8) hsep(1) vsep(1)
component[3] signed(0) prec(8) hsep(195) vsep(1)

All values should be the same. The fuzzer has changed the the value for the
last component.

winfried

rouault added a commit that referenced this issue Jul 29, 2017
@rouault
imagetopnm(): make sure the alpha component has same dimension as oth…
2fa0fc6 
…er components to avoid read heap buffer overflow (#970)
@rouault rouault closed this as completed Jul 29, 2017
rouault added a commit that referenced this issue Jul 29, 2017
@rouault
Fix breakage of 2fa0fc6 (#970)
784d4d4
@detonin detonin added the bug label Aug 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@detonin @Javantea @rouault @szukw000