Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow in opj_t2_read_packet_header #389

Closed
gcode-importer opened this issue Sep 17, 2014 · 12 comments
Closed

Heap-buffer-overflow in opj_t2_read_packet_header #389

gcode-importer opened this issue Sep 17, 2014 · 12 comments

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 389

issue 407964: Heap-buffer-overflow in opj_t2_read_packet_header
    http://code.google.com/p/chromium/issues/detail?id=407964

Reported by detonin on 2014-09-17 08:55:30

@gcode-importer
Copy link
Author

Reported by detonin on 2014-09-17 08:56:27

  • Labels added: Restrict-View-CoreTeam

@gcode-importer
Copy link
Author

Reported by detonin on 2014-09-17 09:02:59

  • Labels added: Type-Defect, Priority-Critical

@gcode-importer
Copy link
Author

Reported by detonin on 2014-09-17 09:17:09

  • Labels added: OpjVersion-2.x

@gcode-importer
Copy link
Author

Tested on:

OS: Ubuntu 12.04

Chromium: 39.0.2137.0 (Developer Build bce0267e0d1a) 


ASAN-trace:

Error : expected SOP marker
=================================================================
==16208==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63300008b3ce at
pc 0x0000007c8e17 bp 0x7fff74299870 sp 0x7fff74299868
READ of size 1 at 0x63300008b3ce thread T0
    #0 0x7c8e16 in opj_t2_read_packet_header /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/t2.c:1050
    #1 0x7c6edb in opj_t2_decode_packet /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/t2.c:513
    #2 0x7c68b5 in opj_t2_decode_packets /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/t2.c:399
    #3 0x770895 in opj_tcd_t2_decode /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/tcd.c:1487
    #4 0x7706dc in opj_tcd_decode_tile /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/tcd.c:1230
    #5 0x740b7f in opj_j2k_decode_tile /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7661
    #6 0x7516f0 in opj_j2k_decode_tiles /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9177
    #7 0x73d701 in opj_j2k_exec /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:7048
    #8 0x7457e0 in opj_j2k_decode /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/j2k.c:9368
    #9 0x6651a9 in opj_jp2_decode /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/fx_libopenjpeg/src/../libopenjpeg20/jp2.c:1332
    #10 0x65a949 in CJPX_Decoder::Init(unsigned char const*, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:630
    #11 0x65bfaf in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned
int, int) /b/build/slave/ASAN_Release__symbolized_/build/src/out/Release/../../third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:770
.
.
.

Reported by detonin on 2014-09-19 07:18:52


- _Attachment: [radamsa-0.2.3-1.pdf](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-389/comment-4/radamsa-0.2.3-1.pdf)_

@gcode-importer
Copy link
Author

attached a script to extract jp2 from pdf in python
+ the corrupted jp2 for this issue.

Output of opj_decompress : 

$ opj_decompress.exe -i ~/data/opj/issues/issue389/0.jp2 -o ~/data/opj/issues/issue389/0.png

[INFO] Start to read j2k main header (85).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 0 / 1 has been read.
Expected SOP marker
Error : expected SOP marker
Error : expected EPH marker
read: segment too long (4) with max (0) for codeblock 0 (p=0, b=1, r=5, c=1)
[ERROR] Failed to decode.
[ERROR] Failed to decode tile 1/2
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Reported by detonin on 2014-09-19 15:58:05


- _Attachment: [extractjp2.py](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-389/comment-5/extractjp2.py)_ - _Attachment: [0.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-389/comment-5/0.jp2)_

@gcode-importer
Copy link
Author

Antonin,

I came up with the patch attached.
This doesn't help to get a proper decoding as kakadu does but no more overflows.
Shall fix valgrind error reported in issue 295 as well.



Reported by mayeut on 2014-09-20 11:20:00


- _Attachment: [issue389.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-389/comment-6/issue389.patch)_

@gcode-importer
Copy link
Author

Antonin,

Could you please review & apply ?

Reported by mayeut on 2014-09-27 13:20:18

  • Status changed: Verified

@gcode-importer
Copy link
Author

+ cc Bo Xu from Foxit 

... so that you can follow what happens on these issues.

Reported by detonin on 2014-09-28 21:18:37

@gcode-importer
Copy link
Author

kdu_expand -i ../../data/issue389/0.jp2 -o 0.bmp

Consumed 2 tile-part(s) from a total of 2 tile(s).
Consumed 110,407 codestream bytes (excluding any file format) = 1.179209
bits/pel.
Processed using the multi-threaded environment, with
    2 parallel threads of execution

Reported by mayeut on 2014-09-29 19:52:37


- _Attachment: [0.bmp](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-389/comment-9/0.bmp)_

@gcode-importer
Copy link
Author

Thanks Matthieu

updated by r2888

Overflow should not occur anymore but this has to be validated with ASan and pdfium.

Kakadu correctly decodes the image so another (public) issue has to be created to fix
this once we are sure this overflow issue is fixed

Reported by detonin on 2014-09-30 09:30:14

@gcode-importer
Copy link
Author

Update PDFium to r2891 and this is fixed :)

Reported by [email protected] on 2014-09-30 17:27:30

@gcode-importer
Copy link
Author

Reported by detonin on 2014-10-01 10:03:39

  • Status changed: Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants