[ Heap Overflow ] opj_decompress #1473

5angjun · 2023-07-24T02:07:38Z

Expected behavior and actual behavior.

abnomal behavior in processing the .j2k file to .pgm file

crash.j2k

https://drive.google.com/file/d/1xvnxFcOHE9N-bJ_CSyvDL012HQrSlSGR/view?usp=sharing

...to fill...

Steps to reproduce the problem.

git clone https://github.com/uclouvain/openjpeg.git

cd openjpeg
mkdir build
cd build


cmake .. -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-DCMAKE_C_FLAGS="-fsanitize=address" \
-DCMAKE_CXX_FLAGS="-fsanitize=address"

make -j$(nproc)


cd bin

./opj_decompress -i ./crash.j2k -o test.pgm

Operating system

❯ uname -r
5.19.0-46-generic

~
❯ cat /etc/issue               
Ubuntu 22.04.2 LTS \n \l

openjpeg version

commit 1ee6d115e80036d1d38bad7f95a680bfc612c1bf (HEAD -> master, origin/master, origin/HEAD)
Merge: 15c0dca5 59ec1f0a
Author: Even Rouault <[email protected]>
Date:   Sun Mar 26 16:08:24 2023 +0200

    Merge pull request #1463 from rouault/fix_570
    
    opj_jp2_read_header(): move setting color_space here instead in opj_jp2_decode()/get_tile() (fixes #570)

...to fill...

crash.j2k

https://drive.google.com/file/d/1xvnxFcOHE9N-bJ_CSyvDL012HQrSlSGR/view?usp=sharing

/openjpeg_orig/build8/bin master*
❯ ./opj_decompress -i ~/openjpeg/crash.j2k -o test.pgm



[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 128 has been read.
[INFO] Tile 1/128 has been decoded.
[INFO] Image data has been updated with tile 1.

=================================================================
==3974133==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010800 at pc 0x5619150edb77 bp 0x7ffec1251220 sp 0x7ffec1251218
READ of size 4 at 0x631000010800 thread T0
    #0 0x5619150edb76 in sycc420_to_rgb /home/sangjun/openjpeg_orig/src/bin/common/color.c:379:42
    #1 0x5619150ebd49 in color_sycc_to_rgb /home/sangjun/openjpeg_orig/src/bin/common/color.c:416:9
    #2 0x5619150b8028 in main /home/sangjun/openjpeg_orig/src/bin/jp2/opj_decompress.c:1629:13
    #3 0x7fe4a9e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0x7fe4a9e29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #5 0x561914ff3774 in _start (/home/sangjun/openjpeg_orig/build8/bin/opj_decompress+0x29774) (BuildId: 818ced7ede83d52f55366982cc4cc3c163203454)

0x631000010800 is located 0 bytes to the right of 65536-byte region [0x631000000800,0x631000010800)
allocated by thread T0 here:
    #0 0x561915077137 in posix_memalign (/home/sangjun/openjpeg_orig/build8/bin/opj_decompress+0xad137) (BuildId: 818ced7ede83d52f55366982cc4cc3c163203454)
    #1 0x7fe4aa3e3445 in opj_aligned_alloc_n /home/sangjun/openjpeg_orig/src/lib/openjp2/opj_malloc.c:61:9
    #2 0x7fe4aa3e32c9 in opj_aligned_malloc /home/sangjun/openjpeg_orig/src/lib/openjp2/opj_malloc.c:209:12
    #3 0x7fe4aa2ee634 in opj_image_data_alloc /home/sangjun/openjpeg_orig/src/lib/openjp2/openjpeg.c:1135:17
    #4 0x7fe4aa2b9c82 in opj_j2k_update_image_data /home/sangjun/openjpeg_orig/src/lib/openjp2/j2k.c:10140:50
    #5 0x7fe4aa2b7d99 in opj_j2k_decode_tiles /home/sangjun/openjpeg_orig/src/lib/openjp2/j2k.c:11746:15
    #6 0x7fe4aa27e3d8 in opj_j2k_exec /home/sangjun/openjpeg_orig/src/lib/openjp2/j2k.c:9035:33
    #7 0x7fe4aa291bec in opj_j2k_decode /home/sangjun/openjpeg_orig/src/lib/openjp2/j2k.c:12039:11
    #8 0x7fe4aa2ebdd0 in opj_decode /home/sangjun/openjpeg_orig/src/lib/openjp2/openjpeg.c:526:16
    #9 0x5619150b74e5 in main /home/sangjun/openjpeg_orig/src/bin/jp2/opj_decompress.c:1582:19
    #10 0x7fe4a9e29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sangjun/openjpeg_orig/src/bin/common/color.c:379:42 in sycc420_to_rgb
Shadow bytes around the buggy address:
  0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3974133==ABORTING

The text was updated successfully, but these errors were encountered:

5angjun closed this as completed Nov 9, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ Heap Overflow ] opj_decompress #1473

[ Heap Overflow ] opj_decompress #1473

5angjun commented Jul 24, 2023 •

edited

Loading

[ Heap Overflow ] opj_decompress #1473

[ Heap Overflow ] opj_decompress #1473

Comments

5angjun commented Jul 24, 2023 • edited Loading

Expected behavior and actual behavior.

crash.j2k

Steps to reproduce the problem.

Operating system

openjpeg version

crash.j2k

5angjun commented Jul 24, 2023 •

edited

Loading