openjpeg icon indicating copy to clipboard operation
openjpeg copied to clipboard
verified publisher icon uclouvain

demonstrate undefined behaviour in opj_decompress

Open pauldreik opened this issue 3 years ago • 0 comments

I ran afl and found a few issues. This pull request contains script and data to reproduce it, plus asserts in the code. I used ubuntu 22.04.

I filed issues #1443, #1444 and #1445 demonstrated by this pull request.

To reproduce, build with sanitizers:

sudo apt install afl++
cd tests/fuzzers/afl
./build-afl.sh

Then execute the crash test cases:

xx@xxx:~/code/openjpeg/tests/fuzzers/afl$ build-clang-release-replay/bin/opj_decompress -i crashes/color_1077_1123 -o tmp.bmp

===========================================
The extension of this file is incorrect.
FOUND 1123. SHOULD BE .jp2 or .jph
===========================================

[INFO] Start to read j2k main header (85).
[WARNING] Despite JP2 BPC!=255, precision and/or sgnd values for comp[1] is different than comp[0]:
        [0] prec(31) sgnd(0) [1] prec(8) sgnd(0)
[WARNING] Despite JP2 BPC!=255, precision and/or sgnd values for comp[2] is different than comp[0]:
        [0] prec(31) sgnd(0) [2] prec(8) sgnd(0)
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[INFO] Stream reached its end !
/home/surfer/code/openjpeg/src/bin/common/color.c:1077:24: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/surfer/code/openjpeg/src/bin/common/color.c:1077:24 in 
/home/surfer/code/openjpeg/src/bin/common/color.c:1077:49: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/surfer/code/openjpeg/src/bin/common/color.c:1077:49 in 
/home/surfer/code/openjpeg/src/bin/common/color.c:1123:15: runtime error: 2.21034e+09 is outside the range of representable values of type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/surfer/code/openjpeg/src/bin/common/color.c:1123:15 in 
imagetobmp: only first component of 3 is used.
BMP CONVERSION: Truncating component 0 from 31 bits to 8 bits
[INFO] Generated Outfile tmp.bmp
decode time: 1 ms

pauldreik avatar Aug 25 '22 11:08 pauldreik