Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

multiple SIGSEGV/SIGABRT crashes with fuzzed samples #603

Closed
detonin opened this issue Sep 22, 2015 · 3 comments
Closed

multiple SIGSEGV/SIGABRT crashes with fuzzed samples #603

detonin opened this issue Sep 22, 2015 · 3 comments
Labels
bug OpjVersion-1.x
Milestone
OPJ v1.5.3

Comments

@detonin
Copy link
Contributor

detonin commented Sep 22, 2015

Package: libopenjpeg5
Version: 1:1.5.2-3
Severity: important
Tags: security

Dear Maintainer,

I have several samples causing j2k_dump to crash in different ways.
I can provide these privately, but I'm not attaching them here,
because I don't think that making them public before the issues are
fixed would be a good idea.

Backtraces:
$ for f in ; do echo -e "\n\n\n ** $f *** \n\n\n"; gdb --batch -ex r -ex bt -ex q --args j2k_dump -i "$f"; done

 *** id_07cc0ea0b24a217441df652958ff4d93b50ae8f1.j2k *** 




[INFO] tile 1 of 5377

Program received signal SIGSEGV, Segmentation fault.
tgt_reset (tree=0x4300000000000000) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c:122
122 /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c: No such file or directory.
#0  tgt_reset (tree=0x4300000000000000) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c:122
#1  0x00007ffff7bcdf43 in t2_decode_packet (t2=0x16dc8a0, t2=0x16dc8a0, tile=0x7ffff53e8010, pi=0x16dc8c0, pi=0x16dc8c0, pi=0x16dc8c0, pi=0x16dc8c0, pack_info=0x0, tcp=0x7ffff584c010, len=653, src=0x16cd661 "4\375\201") at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/t2.c:360
#2  t2_decode_packets (t2=t2@entry=0x16dc8a0, src=src@entry=0x16cd600 "\300\374\300\200\001\307\300\374\300\200\a8\300~", len=len@entry=750, tileno=tileno@entry=0, tile=tile@entry=0x7ffff53e8010, cstr_info=cstr_info@entry=0x0) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/t2.c:741
#3  0x00007ffff7bd29ba in tcd_decode_tile (tcd=tcd@entry=0x60e1f0, src=0x16cd600 "\300\374\300\200\001\307\300\374\300\200\a8\300~", len=750, tileno=tileno@entry=0, cstr_info=0x0) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:1385
#4  0x00007ffff7bc12df in j2k_read_eoc (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:1695
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

    Inferior 1 [process 29104] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_36489c74785cf854b2fbadb38379f05fdf58b3cd.j2k *** 





Program received signal SIGSEGV, Segmentation fault.
tcd_malloc_decode_tile (tcd=tcd@entry=0x60e1f0, image=0x60e1b0, cp=0x60e0d0, tileno=<optimized out>, tileno@entry=0, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:839
839 /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c: No such file or directory.
#0  tcd_malloc_decode_tile (tcd=tcd@entry=0x60e1f0, image=0x60e1b0, cp=0x60e0d0, tileno=<optimized out>, tileno@entry=0, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:839
#1  0x00007ffff7bc132c in j2k_read_eoc (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:1691
#2  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#3  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

    Inferior 1 [process 29197] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_c0ab4aa72114becf0cfe65d875541b71f33d5f71.j2k *** 




j2k_dump: /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:435: j2k_read_siz: Assertion `n_comps == image->numcomps' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff75444e8 in __GI_abort () at abort.c:89
#2  0x00007ffff753c226 in __assert_fail_base (fmt=0x7ffff7672ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7ffff7bd5cf7 "n_comps == image->numcomps", file=file@entry=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=line@entry=435, function=function@entry=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:92
#3  0x00007ffff753c2d2 in __GI___assert_fail (assertion=0x7ffff7bd5cf7 "n_comps == image->numcomps", file=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=435, function=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:101
#4  0x00007ffff7bc1263 in j2k_read_siz (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:435
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

    Inferior 1 [process 29263] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_f2a09bfee2caa7d4b0728e845056407ce15a1076.j2k *** 




j2k_dump: /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:433: j2k_read_siz: Assertion `(len - 36 - 2 ) % 3 == 0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56  ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff75444e8 in __GI_abort () at abort.c:89
#2  0x00007ffff753c226 in __assert_fail_base (fmt=0x7ffff7672ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7ffff7bd5cde "(len - 36 - 2 ) % 3 == 0", file=file@entry=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=line@entry=433, function=function@entry=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:92
#3  0x00007ffff753c2d2 in __GI___assert_fail (assertion=0x7ffff7bd5cde "(len - 36 - 2 ) % 3 == 0", file=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=433, function=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:101
#4  0x00007ffff7bc1244 in j2k_read_siz (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:433
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

    Inferior 1 [process 29343] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]

Best regards,
Andreas
@detonin detonin added the bug label Sep 22, 2015
@detonin detonin added this to the OPJ v1.5.3 milestone Sep 22, 2015
@detonin
Copy link
Contributor Author

detonin commented Sep 22, 2015

@malaterre issue created on opj side, I'll try to adress this in 1.5.3

detonin added a commit that referenced this issue Oct 7, 2015
@detonin
Gracefully reject codestreams with malformed SIZ markers
959ebda 
Update #603
detonin added a commit that referenced this issue Oct 9, 2015
@detonin
Fixes overflow when high number of decompositions
618e509 
Update #603
@Javantea Javantea mentioned this issue Nov 15, 2015
Closed
@stweil
Copy link
Contributor

stweil commented Jan 6, 2016

Is this related to #687? If you get those SIGSEGV crashes on 64 bit Linux and your compiler complains about missing declaration of function ‘memalign’, you might want to try that patch.

@detonin
Copy link
Contributor Author

detonin commented Aug 28, 2017

Closing, as 1.x version is not maintained anymore.
If you need this issue resolved, please switch instead to latest version where its is likely already fixed.
https://groups.google.com/d/msg/openjpeg/w2I6qPOw_KA/S85qgiy_AgAJ

@detonin detonin closed this as completed Aug 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug OpjVersion-1.x
Projects
None yet
Milestone
OPJ v1.5.3
Development

No branches or pull requests
2 participants
@detonin @stweil