openjpeg icon indicating copy to clipboard operation
openjpeg copied to clipboard

Published 20 hours ago verified publisher icon uclouvain

Encoder: error with small precincts, origin shift [was Out-of-bounds Read in t2.c:819]

Open zodf0055980 opened this issue 3 years ago • 5 comments

I found an Out-of-bounds Read in the current master 18b1138 I build openjpeg with ASAN, this is ASAN report. POC picture : sample1

➜  ~/openjpeg/build/bin/opj_compress -i ./sample1.png -o ./a.j2c -r 19,9,0 -c \[16,32\],\[16,32\] -p CPRL -s 8,8  -TP L -d 50,50 

[INFO] tile number 1 / 1
ASAN:DEADLYSIGNAL
=================================================================
==32561==ERROR: AddressSanitizer: SEGV on unknown address 0x6097fffffff8 (pc 0x7fe70244f441 bp 0x619000000fa0 sp 0x7ffdb462cec0 T0)
==32561==The signal is caused by a READ memory access.
    #0 0x7fe70244f440 in opj_t2_encode_packet /home/yuan/openjpeg/src/lib/openjp2/t2.c:819
    #1 0x7fe702458563 in opj_t2_encode_packets /home/yuan/openjpeg/src/lib/openjp2/t2.c:332
    #2 0x7fe70247c595 in opj_tcd_t2_encode /home/yuan/openjpeg/src/lib/openjp2/tcd.c:2562
    #3 0x7fe70247c595 in opj_tcd_encode_tile /home/yuan/openjpeg/src/lib/openjp2/tcd.c:1465
    #4 0x7fe702340342 in opj_j2k_write_sod /home/yuan/openjpeg/src/lib/openjp2/j2k.c:4813
    #5 0x7fe702356636 in opj_j2k_write_sod /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12710
    #6 0x7fe702356636 in opj_j2k_write_all_tile_parts /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12715
    #7 0x7fe702356636 in opj_j2k_post_write_tile /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12411
    #8 0x7fe70238b928 in opj_j2k_encode /home/yuan/openjpeg/src/lib/openjp2/j2k.c:12152
    #9 0x55af4e83dda0 in main /home/yuan/openjpeg/src/bin/jp2/opj_compress.c:2206
    #10 0x7fe701497bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #11 0x55af4e8430a9 in _start (/home/yuan/openjpeg/build/bin/opj_compress+0x1b0a9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/yuan/openjpeg/src/lib/openjp2/t2.c:819 in opj_t2_encode_packet
==32561==ABORTING

This problem is precno is -1, and try to read &band->precincts[precno];

zodf0055980 avatar Dec 02 '20 10:12 zodf0055980

CVE-2020-27843 was assigned for this issue.

zodf0055980 avatar Dec 15 '20 07:12 zodf0055980

@rouault, noticed that in the commited change fc6abdb you say that it is likely not the proper fix, was following that any further development?

carnil avatar Feb 28 '21 09:02 carnil

was following that any further development?

no

rouault avatar Feb 28 '21 11:02 rouault

was following that any further development?

no

Ok thanks for confirming.

Sorry for beeing annoying, but further question back: So should be the issue consindered closed? Should be the fix be considered complete as it landed in the 2.4.0 tagged version?

Let me explain why I'm asking. We are tracking the two CVEs CVE-2020-27842 (https://github.com/uclouvain/openjpeg/issues/1294) and CVE-2020-27843 (https://github.com/uclouvain/openjpeg/issues/1297) and so looking to check the fstatus for those.

Thanks a lot for your quick help, very much appreciated.

carnil avatar Feb 28 '21 12:02 carnil

Should be the fix be considered complete as it landed in the 2.4.0 tagged version?

The security issue is solved by the fix that was committed, but I believe there's a more fundamental functional issue that, in an ideal world, would deserve to be solved

rouault avatar Feb 28 '21 16:02 rouault