heap-buffer-overflow /openjpeg/src/bin/common/color.c:314 in sycc420_to_rgb()

Question

heap-buffer-overflow /openjpeg/src/bin/common/color.c:314 in sycc420_to_rgb()

13579and2468 opened this issue 2 years ago · 0 comments

Expected behavior and actual behavior.

Expect running without heap-buffer-overflow.

Steps to reproduce the problem.

build with AddressSanitizer

$ git clone https://github.com/uclouvain/openjpeg.git
$ cd openjpeg
$ mkdir build
$ cd build
$ CFLAGS='-fsanitize=address -g3' CXXFLAGS='-fsanitize=address -g3' cmake ..
$ CFLAGS='-fsanitize=address -g3' CXXFLAGS='-fsanitize=address -g3' make

run with AddressSanitizer

$ ./bin/opj_decompress -o ./tmp/a.ppm -r 5 -i poc.jpg

===========================================
The extension of this file is incorrect.
FOUND .jpg. SHOULD BE .j2k or .jpc or .j2c or .jhc
===========================================

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 49 / 256 has been read.
[INFO] Tile 49/256 has been decoded.
[INFO] Image data has been updated with tile 49.

=================================================================
==36806==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fab83eb3800 at pc 0x56281db9c67d bp 0x7ffd67b60c60 sp 0x7ffd67b60c50
READ of size 4 at 0x7fab83eb3800 thread T0
    #0 0x56281db9c67c in sycc420_to_rgb /home/oceane/fuzz/report/openjpeg/src/bin/common/color.c:314
    #1 0x56281db9d901 in color_sycc_to_rgb /home/oceane/fuzz/report/openjpeg/src/bin/common/color.c:416
    #2 0x56281db78ade in main /home/oceane/fuzz/report/openjpeg/src/bin/jp2/opj_decompress.c:1629
    #3 0x7fab92dfe0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #4 0x56281db6ef0d in _start (/home/oceane/fuzz/report/openjpeg/build/bin/opj_decompress+0x9f0d)

0x7fab83eb3800 is located 0 bytes to the right of 37748736-byte region [0x7fab81ab3800,0x7fab83eb3800)
allocated by thread T0 here:
    #0 0x7fab9342c6e5 in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:217
    #1 0x7fab932e906a in opj_aligned_alloc_n /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/opj_malloc.c:61
    #2 0x7fab932e92a6 in opj_aligned_malloc /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/opj_malloc.c:209
    #3 0x7fab9324d460 in opj_image_data_alloc /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/openjpeg.c:1130
    #4 0x7fab9321fb13 in opj_j2k_update_image_data /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:10137
    #5 0x7fab9322c5f2 in opj_j2k_decode_tiles /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:11743
    #6 0x7fab93218ab9 in opj_j2k_exec /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:9032
    #7 0x7fab9322e867 in opj_j2k_decode /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/j2k.c:12036
    #8 0x7fab9324b58f in opj_decode /home/oceane/fuzz/report/openjpeg/src/lib/openjp2/openjpeg.c:521
    #9 0x56281db782d6 in main /home/oceane/fuzz/report/openjpeg/src/bin/jp2/opj_decompress.c:1582
    #10 0x7fab92dfe0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/oceane/fuzz/report/openjpeg/src/bin/common/color.c:314 in sycc420_to_rgb
Shadow bytes around the buggy address:
  0x0ff5f07ce6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5f07ce6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5f07ce6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5f07ce6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff5f07ce6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff5f07ce700:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff5f07ce710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff5f07ce720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff5f07ce730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff5f07ce740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff5f07ce750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==36806==ABORTING

Operating system

$ uname -a
Linux lab117 5.15.0-57-generic #63~20.04.1-Ubuntu SMP Wed Nov 30 13:40:16 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

openjpeg version

$ git log --oneline -1
2d606701 (HEAD -> master, origin/master, origin/HEAD) Merge pull request #1448 from rouault/fix_1447

$ ./bin/opj_decompress -h

This is the opj_decompress utility from the OpenJPEG project.
It decompresses JPEG 2000 codestreams to various image formats.
It has been compiled against openjp2 library v2.5.0.
(ignore ...)