Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in opj_t2_read_packet_header #395

Closed
gcode-importer opened this issue Sep 17, 2014 · 10 comments
Closed

Heap-buffer-overflow in opj_t2_read_packet_header #395

gcode-importer opened this issue Sep 17, 2014 · 10 comments

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 395

issue 414182: Heap-buffer-overflow in opj_t2_read_packet_header
    http://code.google.com/p/chromium/issues/detail?id=414182

Reported by detonin on 2014-09-17 09:10:34

@gcode-importer
Copy link
Author

Reported by detonin on 2014-09-17 09:17:09

  • Labels added: OpjVersion-2.x

@gcode-importer
Copy link
Author

Reproduced on trunk r2885

./bin/opj_decompress -i ../../data/issue395/0.jp2 -o 0.bmp

[INFO] Start to read j2k main header (119).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 0 / 1 has been read.
=================================================================
==33701==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x01e0063f at pc
0x007d7033 bp 0xbffb40b8 sp 0xbffb40b4
READ of size 1 at 0x01e0063f thread T0
    #0 0x7d7032 in opj_t2_read_packet_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/t2.c:925:36
    #1 0x7d5038 in opj_t2_decode_packet /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/t2.c:512:15
    #2 0x7d4a28 in opj_t2_decode_packets /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/t2.c:399:39
    #3 0x7e5203 in opj_tcd_t2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1479:15
    #4 0x7e502f in opj_tcd_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1222:15
    #5 0x791e17 in opj_j2k_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7796:15
    #6 0x7a6597 in opj_j2k_decode_tiles /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9305:23
    #7 0x78df27 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #8 0x7978b3 in opj_j2k_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9496:15
    #9 0x7adb7f in opj_jp2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1300:8
    #10 0x7b8f63 in opj_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:412:10
    #11 0x4e86c in main /Users/Matt/Dev/OpenJpeg/issue391/src/bin/jp2/opj_decompress.c:821:10
    #12 0x94511700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #13 0x4 (<unknown module>)

0x01e0063f is located 0 bytes to the right of 15-byte region [0x01e00630,0x01e0063f)
allocated by thread T0 here:
    #0 0x2b330a in wrap_calloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3030a)
    #1 0x7845c0 in opj_j2k_read_ppt /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:3805:50
    #2 0x78f75f in opj_j2k_read_tile_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7641:31
    #3 0x7a6467 in opj_j2k_decode_tiles /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9277:23
    #4 0x78df27 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #5 0x7978b3 in opj_j2k_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9496:15
    #6 0x7adb7f in opj_jp2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1300:8
    #7 0x7b8f63 in opj_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:412:10
    #8 0x4e86c in main /Users/Matt/Dev/OpenJpeg/issue391/src/bin/jp2/opj_decompress.c:821:10
    #9 0x94511700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #10 0x4 (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/t2.c:925
opj_t2_read_packet_header
Shadow bytes around the buggy address:
  0x203c0070: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x203c0080: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x203c0090: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x203c00a0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x203c00b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x203c00c0: fa fa 00 00 fa fa 00[07]fa fa fd fd fa fa 04 fa
  0x203c00d0: fa fa 00 fa fa fa 04 fa fa fa 00 04 fa fa 00 04
  0x203c00e0: fa fa 00 04 fa fa 00 04 fa fa 04 fa fa fa 00 fa
  0x203c00f0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa fd fa
  0x203c0100: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x203c0110: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==33701==ABORTING

Reported by mayeut on 2014-09-20 13:22:19


- _Attachment: [0.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-395/comment-2/0.jp2)_

@gcode-importer
Copy link
Author

Corrected by patch provided in Issue 389

No more ASAN errors

./bin/opj_decompress -i ../../data/issue395/0.jp2 -o 0.bmp

[INFO] Start to read j2k main header (119).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 0 / 1 has been read.
Not enough space for expected EPH marker
Expected SOP marker
Error : expected SOP marker
Not enough space for expected EPH marker
Expected SOP marker
Error : expected SOP marker
Not enough space for expected EPH marker
.........
Expected SOP marker
Error : expected SOP marker
Not enough space for expected EPH marker
Expected SOP marker
Error : expected SOP marker
Not enough space for expected EPH marker
[ERROR] Stream too short, expected SOT
[ERROR] Failed to decode tile 1/2
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Reported by mayeut on 2014-09-20 13:33:35

@gcode-importer
Copy link
Author

Antonin,

Could you please review & apply patch from Issue 389

Reported by mayeut on 2014-09-27 13:22:50

  • Status changed: Verified

@gcode-importer
Copy link
Author

+ cc Bo Xu from Foxit 

... so that you can follow what happens on these issues.

Reported by detonin on 2014-09-28 21:18:37

@gcode-importer
Copy link
Author

Issue 396 has been merged into this issue.

Reported by mayeut on 2014-09-29 08:42:21

@gcode-importer
Copy link
Author

kdu_expand -i ../../data/issue395/0.jp2 -o 0.bmp
Kakadu Core Error:
Illegal component index supplied in call to `kdu_codesteram::get_dims'.

Reported by mayeut on 2014-09-29 20:13:59

@gcode-importer
Copy link
Author

updated by r2888

Need to be validated with ASan and pdfium

Reported by detonin on 2014-09-30 09:40:35

@gcode-importer
Copy link
Author

Update PDFium to r2891 and one is fixed:)

Reported by [email protected] on 2014-09-30 17:25:45

@gcode-importer
Copy link
Author

Reported by detonin on 2014-10-01 10:06:46

  • Status changed: Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants