heap-buffer-overflow /openjpeg/src/bin/common/color.c:314 in sycc420_to_rgb()
13579and2468 opened this issue · 0 comments
13579and2468 commented
Expected behavior and actual behavior.
Expect running without heap-buffer-overflow.
Steps to reproduce the problem.
build with AddressSanitizer
$ git clone https://github.com/uclouvain/openjpeg.git
$ cd openjpeg
$ mkdir build
$ cd build
$ CFLAGS='-fsanitize=address -g3' CXXFLAGS='-fsanitize=address -g3' cmake ..
$ CFLAGS='-fsanitize=address -g3' CXXFLAGS='-fsanitize=address -g3' make
run with AddressSanitizer
$ ./bin/opj_decompress -o ./tmp/a.ppm -r 5 -i poc.jpg
===========================================
The extension of this file is incorrect.
FOUND .jpg. SHOULD BE .j2k or .jpc or .j2c or .jhc
===========================================
[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 49 / 256 has been read.
[INFO] Tile 49/256 has been decoded.
[INFO] Image data has been updated with tile 49.
=================================================================
==36806==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fab83eb3800 at pc 0x56281db9c67d bp 0x7ffd67b60c60 sp 0x7ffd67b60c50
READ of size 4 at 0x7fab83eb3800 thread T0
#0 0x56281db9c67c in sycc420_to_rgb /home/oceane/fuzz/report/openjpeg/src/bin/common/color.c:314
#1 0x56281db9d901 in color_sycc_to_rgb /home/oceane/fuzz/report/openjpeg/src/bin/common/color.c:416
#2 0x56281db78ade in main /home/oceane/fuzz/report/openjpeg/src/bin/jp2/opj_decompress.c:1629
#3 0x7fab92dfe0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#4 0x56281db6ef0d in _start (/home/oceane/fuzz/report/openjpeg/build/bin/opj_decompress+0x9f0d)
0x7fab83eb3800 is located 0 bytes to the right of 37748736-byte region [0x7fab81ab3800,0x7fab83eb3800)
allocated by thread T0 here:
#0 0x7fab9342c6e5 in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:217
#1 0x7fab932e906a in opj_aligned_alloc_n /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/opj_malloc.c:61
#2 0x7fab932e92a6 in opj_aligned_malloc /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/opj_malloc.c:209
#3 0x7fab9324d460 in opj_image_data_alloc /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/openjpeg.c:1130
#4 0x7fab9321fb13 in opj_j2k_update_image_data /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:10137
#5 0x7fab9322c5f2 in opj_j2k_decode_tiles /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:11743
#6 0x7fab93218ab9 in opj_j2k_exec /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:9032
#7 0x7fab9322e867 in opj_j2k_decode /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:12036
#8 0x7fab9324b58f in opj_decode /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/openjpeg.c:521
#9 0x56281db782d6 in main /home/oceane/fuzz/report/openjpeg/src/bin/jp2/opj_decompress.c:1582
#10 0x7fab92dfe0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/oceane/fuzz/report/openjpeg/src/bin/common/color.c:314 in sycc420_to_rgb
Shadow bytes around the buggy address:
0x0ff5f07ce6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff5f07ce6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff5f07ce6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff5f07ce6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff5f07ce6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff5f07ce700:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff5f07ce710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff5f07ce720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff5f07ce730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff5f07ce740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff5f07ce750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==36806==ABORTING
Operating system
$ uname -a
Linux lab117 5.15.0-57-generic #63~20.04.1-Ubuntu SMP Wed Nov 30 13:40:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
openjpeg version
$ git log --oneline -1
2d606701 (HEAD -> master, origin/master, origin/HEAD) Merge pull request #1448 from rouault/fix_1447
$ ./bin/opj_decompress -h
This is the opj_decompress utility from the OpenJPEG project.
It decompresses JPEG 2000 codestreams to various image formats.
It has been compiled against openjp2 library v2.5.0.
(ignore ...)