openjpeg icon indicating copy to clipboard operation
openjpeg copied to clipboard
verified publisher icon uclouvain

Integer Overflow at t2.c:1234

Open headshog opened this issue 2 years ago • 1 comments

Hi! We've been fuzzing openjpeg with sydr-fuzz security predicates and we found integer overflow error in t2.c:1234.

In function opj_t2_read_packet_header at line 1234 integer overflow occurs (in our case it was l_band->numbps = 5 and i = 15, so 5+1-15 in case of OPJ_UINT32 gives overflow) and nowhere else in this function validity of this variable is checked. So i tried to put a checker there similarly to other return OPJ_FALSE branches in this function.

Environment

  • OS: ubuntu 20.04
  • commit: 6af39314bdb43cb9c7adcdbc7aa9381af42b52ba

How to reproduce this error

  1. Build docker container:

    sudo docker build -t oss-sydr-fuzz-openjpeg .

  2. Run docker container:

    sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-openjpeg /bin/bash

  3. Run on the following input:

     /opj_decompress_fuzzer_JP2_fuzz sydr_t2.txt

  4. Output:

    /openjpeg/src/lib/openjp2/t2.c:1234:65: runtime error: unsigned integer overflow: 6 - 15 cannot be represented in type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /openjpeg/src/lib/openjp2/t2.c:1234:65

headshog avatar Dec 06 '23 13:12 headshog

That change cause additional test failures: 43 - ETS-C1P0-p0_06.j2k-compare2ref (Failed) 44 - NR-C1P0-p0_06.j2k-compare2base (Failed)

Would require deeper analysis to see if they are legit

rouault avatar Dec 08 '23 14:12 rouault

alternate fix in https://github.com/uclouvain/openjpeg/pull/1511

rouault avatar Feb 18 '24 17:02 rouault