Closed
Description
On master, I didn't try on 2.2.0:
# opj_compress -n 1 -i $FILE -o null.j2k
==159529==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fde59900160 at pc 0x000000450bef bp 0x7ffe7641f3c0 sp 0x7ffe7641eb70
WRITE of size 36 at 0x7fde59900160 thread T0
#0 0x450bee in scanf_common /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:343
#1 0x451d20 in __interceptor___isoc99_vfscanf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1265
#2 0x451e02 in __interceptor___isoc99_fscanf /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1282
#3 0x525417 in pgxtoimage /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/convert.c:1188:9
#4 0x50b520 in main /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/opj_compress.c:1831:21
#5 0x7fde5d0c1680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
#6 0x41bc18 in _start (/usr/bin/opj_compress+0x41bc18)
Address 0x7fde59900160 is located in stack of thread T0 at offset 352 in frame
#0 0x52523f in pgxtoimage /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/convert.c:1158
This frame has 16 object(s):
[32, 33) 'c1.i192'
[48, 49) 'c2.i193'
[64, 65) 'c3.i'
[80, 81) 'c4.i'
[96, 97) 'c1.i188'
[112, 113) 'c2.i'
[128, 129) 'c1.i183'
[144, 145) 'c1.i'
[160, 164) 'w'
[176, 180) 'h'
[192, 196) 'prec'
[208, 244) 'cmptparm'
[288, 289) 'endian1'
[304, 305) 'endian2'
[320, 352) 'signtmp'
[384, 416) 'temp' <== Memory access at offset 352 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:343 in scanf_common
Shadow bytes around the buggy address:
0x0ffc4b317fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc4b317fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc4b317ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc4b318000: f1 f1 f1 f1 01 f2 01 f2 01 f2 01 f2 01 f2 01 f2
0x0ffc4b318010: 01 f2 01 f2 04 f2 04 f2 04 f2 00 00 00 00 04 f2
=>0x0ffc4b318020: f2 f2 f2 f2 01 f2 01 f2 00 00 00 00[f2]f2 f2 f2
0x0ffc4b318030: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x0ffc4b318040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc4b318050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc4b318060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffc4b318070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==159529==ABORTING
Aborted
Testcase:
https://github.com/asarubbo/poc/blob/master/00327-openjpeg-stackoverflow-pgxtoimage
Can you confirm if it affects 2.2.0 too?
Metadata
Metadata
Assignees
Labels
No labels