Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow in opj_tcd_get_decoded_tile_size #408

Closed
gcode-importer opened this issue Oct 1, 2014 · 5 comments
Closed

Heap-buffer-overflow in opj_tcd_get_decoded_tile_size #408

gcode-importer opened this issue Oct 1, 2014 · 5 comments
Assignees
@detonin
Labels
bug Priority-Critical Restrict-View-CoreTeam

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 408

https://code.google.com/p/chromium/issues/detail?id=418976

VULNERABILITY DETAILS
The attached testcase crashes pdfium_test as follows:

=================================================================
==30003==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e748 at
pc 0x000000749735 bp 0x7fff443a35e0 sp 0x7fff443a35d8
READ of size 4 at 0x60200000e748 thread T0
    #0 0x749734 in opj_tcd_get_decoded_tile_size /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/tcd.c:1101:17
    #1 0x72eb50 in opj_j2k_read_tile_header /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7622:24
    #2 0x73835d in opj_j2k_decode_tiles /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9149:23
    #3 0x72ccd1 in opj_j2k_exec /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7048:41
    #4 0x7354a0 in opj_j2k_decode /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9368:15
    #5 0x650ae9 in opj_jp2_decode /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/jp2.c:1332:8
    #6 0x64808a in CJPX_Decoder::Init(unsigned char const*, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:624:15
    #7 0x649980 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int,
int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:764:10
    #8 0x5d5f41 in CPDF_DIBSource::LoadJpxBitmap() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:643:21
    #9 0x5d1bab in CPDF_DIBSource::CreateDecoder() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:599:9
    #10 0x5cea18 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream
const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:335:15
    #11 0x5c13fd in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*,
int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:310:15
    #12 0x5c1123 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned
int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:131:15
    #13 0x5ddb20 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject
const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int)
/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1489:15
    #14 0x5de543 in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*,
void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1549:19
    #15 0x5c5db9 in CPDF_ImageRenderer::StartLoadDIBSource() /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:371:9
    #16 0x5c258d in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*,
CFX_Matrix const*, int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:525:9
    #17 0x5b81f6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*,
CFX_Matrix const*, IFX_Pause*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:350:14
    #18 0x5be755 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1175:21
    #19 0x4aaa58 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int,
int, int, int, IFSDK_PAUSE_Adapter*) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:789:2
    #20 0x4aadf0 in FPDF_RenderPageBitmap /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/fpdfsdk/src/fpdfview.cpp:586:2
    #21 0x4a6875 in RenderPdf(char const*, char const*, unsigned long, OutputFormat)
/b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:324:5
    #22 0x4a7329 in main /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/samples/pdfium_test.cc:406:7
    #23 0x7f5852b18ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
    #24 0x42299c in _start ??:0:0

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x0c047fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9ce0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x0c047fff9cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa
  0x0c047fff9d00: fa fa 00 fa fa fa 04 fa fa fa 00 00 fa fa 00 00
  0x0c047fff9d10: fa fa 00 00 fa fa 00 00 fa fa fd fa fa fa fd fa
  0x0c047fff9d20: fa fa 00 00 fa fa 04 fa fa fa 04 fa fa fa fd fa
  0x0c047fff9d30: fa fa 01 fa fa fa 00 00 fa fa 00 fa fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  ASan internal:           fe
==30003==ABORTING


VERSION
Chrome Version: latest asan build of pdfium_test

REPRODUCTION CASE
attached as repro.pdf

Reported by detonin on 2014-10-01 19:43:26

- _Attachment: [repro1.pdf](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-408/comment-0/repro1.pdf)_
@gcode-importer
Copy link
Author 

kdu_expand -i ../../data/issue408/0.jp2 -o 0.bmp
Kakadu Core Error:
Illegal `Ckernels' value found while finalizing a COD/COC marker segment. 
Reversible processes must use the W5X3 kernel, while irreversible processes
must use the W9X7 kernel, unless you have explicitly identified a different
(Part-2) kernel, via the `Catk' attribute.

Reported by mayeut on 2014-10-01 21:10:12

@gcode-importer
Copy link
Author

Reported by mayeut on 2014-10-01 21:10:40

- _Attachment: [0.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-408/comment-2/0.jp2)_

@gcode-importer
Copy link
Author 

The final committee draft for jpeg 2000 (http://www.jpeg.org/public/fcd15444-1.pdf -
only publicly available document to my knowledge) states that a COD marker is required
in code stream main header.
I don't know if this is still the case in later revisions of the document.

If someone could check on this ?


If this is still the case then the patch attached will resolve the issue. It's been
tested against test suite with 1 regression : NR-1888.pdf.asan.35.988.jp2-dump
Before patch :
opj_dump ....
[INFO] Start to read j2k main header (111).
[INFO] Main header has been correctly decoded.

After patch :
[INFO] Start to read j2k main header (111).
[ERROR] COD marker not found in main header
ERROR -> opj_dump: failed to read the header


Trying to decompress the image from the failing test :
Before :
./bin/opj_decompress -i ../../data/input/nonregression/1888.pdf.asan.35.988.jp2 -o
0.bmp
[INFO] Start to read j2k main header (111).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
tiles require at least one resolution
[ERROR] Cannot decode tile, memory error
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

After :
./bin/opj_decompress -i ../../data/input/nonregression/1888.pdf.asan.35.988.jp2 -o
0.bmp
[INFO] Start to read j2k main header (111).
[ERROR] COD marker not found in main header
ERROR -> opj_decompress: failed to read the header


To be noted :
kdu_expand -i ../../data/input/nonregression/1888.pdf.asan.35.988.jp2 -o 0.bmp
Kakadu Core Error:
Illegal `Ckernels' value found while finalizing a COD/COC marker segment. 
Reversible processes must use the W5X3 kernel, while irreversible processes
must use the W9X7 kernel, unless you have explicitly identified a different
(Part-2) kernel, via the `Catk' attribute.


With the patch on image from this issue :
./bin/opj_decompress -i ../../data/issue408/0.jp2 -o 0.bmp

[INFO] Start to read j2k main header (85).
[ERROR] COD marker not found in main header
ERROR -> opj_decompress: failed to read the header

Reported by mayeut on 2014-10-07 21:15:10

- _Attachment: [issue408.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-408/comment-3/issue408.patch)_

@gcode-importer
Copy link
Author 

Thanks Matthieu.

COD marker is still mandatory in MH.
As SIZ and QCD markers are also required, I added the same verifications you proposed
in the patch for COD.
I changed the NR dump test to be exepcetd to fail as the syntax is not correct.

Reported by detonin on 2014-10-22 10:28:48

@gcode-importer
Copy link
Author 

This issue was closed by revision r2909.

Reported by detonin on 2014-10-22 10:30:38

  • Status changed: Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@detonin detonin

Labels
bug Priority-Critical Restrict-View-CoreTeam
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@detonin @gcode-importer