openjpeg icon indicating copy to clipboard operation
openjpeg copied to clipboard

Published 20 hours ago verified publisher icon uclouvain

Encoder: issue in lib/openjp2/tgt.c when small precincts size, -TP C and non (0,0) grid offset

Open zodf0055980 opened this issue 4 years ago • 3 comments

I found a NULL dereference in the current master (61ff143). I build openjpeg with ASAN, this is ASAN report. POC picture : sample

➜  ~/openjpeg/build/bin/opj_compress -o ./a.j2k -i ./sample.png -c \[32,32\],\[32,32\] -TP C -d 50,50 

[INFO] tile number 1 / 1
ASAN:DEADLYSIGNAL
=================================================================
==18479==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc7885e58d7 bp 0x000000000000 sp 0x7ffccfc34870 T0)
==18479==The signal is caused by a READ memory access.
==18479==Hint: address points to the zero page.
    #0 0x7fc7885e58d6 in opj_tgt_reset /home/yuan/afl-target/openjpeg/src/lib/openjp2/tgt.c:247
    #1 0x7fc7885b01ef in opj_t2_encode_packet /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:743
    #2 0x7fc7885b9db6 in opj_t2_encode_packets /home/yuan/afl-target/openjpeg/src/lib/openjp2/t2.c:332
    #3 0x7fc7885dd9ee in opj_tcd_t2_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:2562
    #4 0x7fc7885dd9ee in opj_tcd_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1465
    #5 0x7fc7884b766d in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:4813
    #6 0x7fc7884b766d in opj_j2k_write_first_tile_part /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12640
    #7 0x7fc7884b766d in opj_j2k_post_write_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12396
    #8 0x7fc7884ef8dd in opj_j2k_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12145
    #9 0x5569a86d6b75 in main /home/yuan/afl-target/openjpeg/src/bin/jp2/opj_compress.c:2206
    #10 0x7fc787604bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x5569a86dbd69 in _start (/home/yuan/afl-target/openjpeg/build/bin/opj_compress+0x1ad69)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/afl-target/openjpeg/src/lib/openjp2/tgt.c:247 in opj_tgt_reset
==18479==ABORTING

zodf0055980 avatar Dec 01 '20 11:12 zodf0055980

With the fix done in fbd30b0, this now returns in "clean" error

[INFO] tile number 1 / 1
[ERROR] opj_t2_encode_packet(): accessing precno=1 >= 1
[ERROR] Cannot encode tile
failed to encode image: opj_encode
failed to encode image: opj_end_compress
failed to encode image

rouault avatar Dec 02 '20 12:12 rouault

CVE-2020-27842 was assigned for this issue.

zodf0055980 avatar Dec 15 '20 07:12 zodf0055980

@rouault

With the fix done in fbd30b0, this now returns in "clean" error

[INFO] tile number 1 / 1
[ERROR] opj_t2_encode_packet(): accessing precno=1 >= 1
[ERROR] Cannot encode tile
failed to encode image: opj_encode
failed to encode image: opj_end_compress
failed to encode image

so this means the issue is considered to be closed with that change?

edit: okay no the comment clearly says that this is unlikely to be the proper fix.

carnil avatar Feb 28 '21 09:02 carnil