Division by zero crash #937
Comments
|
Is this a duplicate of #855? |
|
@Google-Autofuzz , @rwhitworth , See: #882 opj_decompress -i poc-752c5d6632455bac7732b47da0ba98eacf4cfd9bd98b53f5a703504a8ffb6cd5.j2k -o test.png [INFO] Start to read j2k main header (0). |
|
Hi, Sorry for the delay. It does look like this is likely a dupe of #855. The PR mentioned above looks to still be open, is that planned to be accepted? If there's anything we can do to be of help, please let us know. Google AutoFuzz Team |
|
This (or something very similar) is also reported as https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2532 |
|
Fixed per d27ccf0 |
Hello OpenJpeg,
As part of our fuzzing efforts at Google, we have identified an issue in version 8650b70 (from head). To reproduce requires compiling the project with the LLVM compiler, taking advantage of the sanitizers that it offers (this issue was discovered using AddressSanitizer).
To reproduce you will need to build your project using that sanitizer, and execute the attached stub code on the reproducer input that we have also provided. This stub code could also serve as a useful template for fuzzing in your project with libFuzzer and/or AFL, which may help you uncover additional issues. Some documentation on how to get started with libFuzzer is here:
Getting Started Documentation
LibFuzzer Tutorial
OSS-Fuzz target example
The following options / environment variables may be necessary for accurate reproduction of the issue as well:
ASAN_OPTIONS="exitcode=1,handle_segv=1,detect_leaks=1,leak_check_at_exit=1,allocator_may_return_null=1,detect_odr_violation=0"
MSAN_OPTIONS=...
The sanitizer error that we encountered is here:
third_party/openjpeg2/src/lib/openjp2/pi.c:523:19: runtime error: division by zero
#0 in opj_pi_next_cprl
#1 in opj_t2_decode_packets
#2 in opj_tcd_t2_decode
#3 in opj_tcd_decode_tile
#4 in opj_j2k_decode_tile
#5 in opj_j2k_decode_tiles
#6 in opj_j2k_exec
#7 in opj_j2k_decode
#8 in DecodeAs(CODEC_FORMAT, unsigned char const*, unsigned long)
#9 in LLVMFuzzerTestOneInput
#10 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long)
#11 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long)
#12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long)
#13 in fuzzer::FuzzerDriver(int*, char***, int ()(unsigned char const, unsigned long))
#14 in main
#15 in __libc_start_main
#16 in _start
Other relevant info/repro instructions: After building with ASAN, this should trigger the bug (note .j2k extension must be added): ./opj_decompress -i /poc-752c5d6632455bac7732b47da0ba98eacf4cfd9bd98b53f5a703504a8ffb6cd5.j2k -o foo.pgm
./opj_decompress -i /fuzzing/og-b38087388.j2k -o foo.pgm
[INFO] Start to read j2k main header (0).
[WARNING] Unknown marker
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[INFO] Header of tile 1 / 1 has been read.
/fuzzing/openjpeg/src/lib/openjp2/pi.c:523:19: runtime error: division by zero
poc-752c5d6632455bac7732b47da0ba98eacf4cfd9bd98b53f5a703504a8ffb6cd5.zip
We will gladly work with you so you can successfully confirm and reproduce this issue. Do let us know if you have any feedback surrounding the documentation. Once you have reproduced the issue, we’d appreciate to learn your expected timeline for an update to be released. With any fix, please attribute the report to “Google Autofuzz project”.
We are also pleased to inform you that your project is eligible for inclusion to the OSS-Fuzz project, which can provide additional continuous fuzzing, and encourage you to investigate integration options.
Don’t hesitate to let us know if you have any questions!
Google AutoFuzz Team
(38087388)
The text was updated successfully, but these errors were encountered: