Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in opj_dwt_decode_1 #394

Closed
gcode-importer opened this issue Sep 17, 2014 · 9 comments
Closed

Heap-buffer-overflow in opj_dwt_decode_1 #394

gcode-importer opened this issue Sep 17, 2014 · 9 comments

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 394

issue 414121: Heap-buffer-overflow in opj_dwt_decode_1
    http://code.google.com/p/chromium/issues/detail?id=414121

Reported by detonin on 2014-09-17 09:10:10

@gcode-importer
Copy link
Author

Reported by detonin on 2014-09-17 09:17:09

  • Labels added: OpjVersion-2.x

@gcode-importer
Copy link
Author

Reproduced on trunk r2885

./bin/opj_decompress -i ../../data/issue394/0.jp2 -o 0.bmp

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
.........
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
[INFO] Header of tile 0 / 0 has been read.
=================================================================
==33694==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01f031c8 at pc
0x00779e4a bp 0xbffb1208 sp 0xbffb1204
READ of size 4 at 0x01f031c8 thread T0
    #0 0x779e49 in opj_dwt_decode_1_ /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/dwt.c:313:29
    #1 0x776346 in opj_dwt_decode_1 /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/dwt.c:329:2
    #2 0x775f00 in opj_dwt_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/dwt.c:596:4
    #3 0x7759e0 in opj_dwt_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/dwt.c:475:9
    #4 0x7e55e7 in opj_tcd_dwt_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1550:31
    #5 0x7e504b in opj_tcd_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1242:20
    #6 0x791e17 in opj_j2k_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7796:15
    #7 0x7a6597 in opj_j2k_decode_tiles /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9305:23
    #8 0x78df27 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #9 0x7978b3 in opj_j2k_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9496:15
    #10 0x7adb7f in opj_jp2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1300:8
    #11 0x7b8f63 in opj_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:412:10
    #12 0x5186c in main /Users/Matt/Dev/OpenJpeg/issue391/src/bin/jp2/opj_decompress.c:821:10
    #13 0x94511700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #14 0x4 (<unknown module>)

0x01f031c8 is located 8 bytes to the left of 136-byte region [0x01f031d0,0x01f03258)
allocated by thread T0 here:
    #0 0x2b4dba in wrap_malloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x2fdba)
    #1 0x775be2 in opj_dwt_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/dwt.c:572:2
    #2 0x7759e0 in opj_dwt_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/dwt.c:475:9
    #3 0x7e55e7 in opj_tcd_dwt_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1550:31
    #4 0x7e504b in opj_tcd_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1242:20
    #5 0x791e17 in opj_j2k_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7796:15
    #6 0x7a6597 in opj_j2k_decode_tiles /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9305:23
    #7 0x78df27 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #8 0x7978b3 in opj_j2k_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9496:15
    #9 0x7adb7f in opj_jp2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1300:8
    #10 0x7b8f63 in opj_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:412:10
    #11 0x5186c in main /Users/Matt/Dev/OpenJpeg/issue391/src/bin/jp2/opj_decompress.c:821:10
    #12 0x94511700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #13 0x4 (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/dwt.c:313
opj_dwt_decode_1_
Shadow bytes around the buggy address:
  0x203e05e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x203e05f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x203e0600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x203e0610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x203e0620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x203e0630: fa fa fa fa fa fa fa fa fa[fa]00 00 00 00 00 00
  0x203e0640: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
  0x203e0650: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x203e0660: 00 00 00 00 04 fa fa fa fa fa fa fa fa fa 00 00
  0x203e0670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
  0x203e0680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==33694==ABORTING

Reported by mayeut on 2014-09-20 13:20:54


- _Attachment: [0.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-394/comment-2/0.jp2)_

@gcode-importer
Copy link
Author

opj_dwt_decode_1_(OPJ_INT32 *a, OPJ_INT32 dn, OPJ_INT32 sn, OPJ_INT32 cas) is called
with dn=1, sn=0, cas=0

This leads to :
OPJ_D(0) += (OPJ_S_(0) + OPJ_S_(1)) >> 1;
which is equivalent to
OPJ_D(0) += (OPJ_S(-1) + OPJ_S(-1)) >> 1;




Reported by mayeut on 2014-09-22 10:43:22

@gcode-importer
Copy link
Author

+ cc Bo Xu from Foxit 

... so that you can follow what happens on these issues.

Reported by detonin on 2014-09-28 21:18:37

@gcode-importer
Copy link
Author

kdu_expand -i ../../data/issue394/0.jp2 -o 0.bmp

Consumed 1 tile-part(s) from a total of 1 tile(s).
Consumed 1,905 codestream bytes (excluding any file format) = 13.183391
bits/pel.
Processed using the multi-threaded environment, with
    2 parallel threads of execution

Reported by mayeut on 2014-09-30 19:50:59


- _Attachment: [0.bmp](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-394/comment-5/0.bmp)_

@gcode-importer
Copy link
Author

@antonin,

seems that it could be related to bcd/qcc step sizes that's different. Length of qcd/qcc
is not what it should usually be...
ISO 15444-1 states it should usually be 4 + 3 * levels but a note says it can be truncated.
I don't know how this is/should be handled.

I'm out of my league here...

Reported by mayeut on 2014-10-24 20:49:48

@gcode-importer
Copy link
Author

Any update on this issue?

Reported by [email protected] on 2014-10-29 17:08:01

@gcode-importer
Copy link
Author

@bo: this has still to be investigated in light of comment #6

Reported by detonin on 2014-10-30 11:54:43

@gcode-importer
Copy link
Author

@antonin, any update on this issue? Thanks!

Reported by [email protected] on 2014-12-20 00:50:46

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants