one null pointer defference bug in sycc422_to_rgb in color.c

[92wyunchao]

one null pointer defference bug in sycc422_to_rgb in color.c in openjpeg-2.3.1 which allow attackers to cause a denial-of-service via a crafted j2k file. This bug can be triggered by the executable opj_decompress

poc:
poc.zip

$uname -a
Linux ubuntu 4.15.0-69-generic #78~16.04.1-Ubuntu SMP Fri Nov 8 11:20:31 UTC 2019 x86_64 GNU/Linux

$./opj_decompress -i poc.j2k -o image.bmp

ASAN:SIGSEGV

==123446==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000042af3a bp 0x7ffc5217fcb0 sp 0x7ffc5217fc10 T0)
#0 0x42af39 in sycc422_to_rgb /home/s2e/asan/openjpeg-2.3.1/src/bin/common/color.c:201
#1 0x42d2c9 in color_sycc_to_rgb /home/s2e/asan/openjpeg-2.3.1/src/bin/common/color.c:423
#2 0x40b600 in main /home/s2e/asan/openjpeg-2.3.1/src/bin/jp2/opj_decompress.c:1600
#3 0x7f4c4ffe482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x403308 in _start (/home/s2e/asan/openjpeg-2.3.1/build/bin/opj_decompress+0x403308)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/asan/openjpeg-2.3.1/src/bin/common/color.c:201 sycc422_to_rgb
==123446==ABORTING

[szukw000]

@92wyunchao ,
it seems that you do not use the latest version of OPENJPEG. Because I see:

opj_decompress -i poc.j2k -o image.bmp

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 194 has been read.
[INFO] Tile 1/194 has been decoded.
[INFO] Image data has been updated with tile 1.

[WARNING] Failed to decode component 1
[WARNING] Failed to decode component 2
[ERROR] Failed to decode all used components
ERROR -> opj_decompress: failed to decode image!

winfried