Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation Faults #940

Closed
rwhitworth opened this issue May 24, 2017 · 3 comments
Closed

Segmentation Faults #940

rwhitworth opened this issue May 24, 2017 · 3 comments
Labels
bug

Comments

@rwhitworth
Copy link

Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the opj_decompress program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/openjpeg-fuzz/tree/master/2017-05-23.

The files can be executed as opj_decompress -i id_filename -o /tmp/output.tif to cause segmentation faults. The version of opj_decompress was from commit 83d7a6d.

The two files from that repo to investigate are:
id:000034,sig:11,src:003240,op:flip1,pos:22
id:000167,sig:11,src:006079,op:havoc,rep:4

Each looks to be a different root cause. Valgrind output to follow.

Let me know if I can provide any more information to help narrow down this issue.
@rwhitworth
Copy link
Author

id:000034,sig:11,src:003240,op:flip1,pos:22:

==4116994== Memcheck, a memory error detector
==4116994== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4116994== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4116994== Command: /root/openjpeg/build/bin/opj_decompress -i id:000034,sig:11,src:003240,op:flip1,pos:22 -o /tmp/output.tif
==4116994==
===========================================
The extension of this file is incorrect.
FOUND s:22. SHOULD BE .j2k or .jpc or .j2c
===========================================
==4116994== Invalid read of size 2
==4116994==    at 0x4EA0481: opj_pi_next_lrcp (pi.c:262)
==4116994==    by 0x4EA0481: opj_pi_next (pi.c:1930)
==4116994==    by 0x4ED027F: opj_t2_decode_packets (t2.c:424)
==4116994==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4116994==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4116994==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4116994==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4116994==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4116994==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4116994==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4116994==    by 0x406312: main (opj_decompress.c:1435)
==4116994==  Address 0x5f2407e is 14 bytes inside a block of size 32 free'd
==4116994==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==4116994==    by 0x4EE3CDA: opj_free (opj_malloc.c:239)
==4116994==    by 0x4E40403: opj_bio_destroy (bio.c:138)
==4116994==    by 0x4ED21F5: opj_t2_read_packet_header (t2.c:1114)
==4116994==    by 0x4ECF1B9: opj_t2_decode_packet (t2.c:563)
==4116994==    by 0x4ECF1B9: opj_t2_decode_packets (t2.c:437)
==4116994==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4116994==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4116994==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4116994==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4116994==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4116994==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4116994==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4116994==    by 0x406312: main (opj_decompress.c:1435)
==4116994==
==4116994== Invalid write of size 2
==4116994==    at 0x4EA05A9: opj_pi_next_lrcp (pi.c:263)
==4116994==    by 0x4EA05A9: opj_pi_next (pi.c:1930)
==4116994==    by 0x4ED027F: opj_t2_decode_packets (t2.c:424)
==4116994==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4116994==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4116994==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4116994==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4116994==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4116994==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4116994==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4116994==    by 0x406312: main (opj_decompress.c:1435)
==4116994==  Address 0x5f2407e is 14 bytes inside a block of size 32 free'd
==4116994==    at 0x4C29E90: free (vg_replace_malloc.c:473)
==4116994==    by 0x4EE3CDA: opj_free (opj_malloc.c:239)
==4116994==    by 0x4E40403: opj_bio_destroy (bio.c:138)
==4116994==    by 0x4ED21F5: opj_t2_read_packet_header (t2.c:1114)
==4116994==    by 0x4ECF1B9: opj_t2_decode_packet (t2.c:563)
==4116994==    by 0x4ECF1B9: opj_t2_decode_packets (t2.c:437)
==4116994==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4116994==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4116994==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4116994==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4116994==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4116994==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4116994==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4116994==    by 0x406312: main (opj_decompress.c:1435)
==4116994==
ERROR -> opj_decompress: failed to decode image!
[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[ERROR] skip: segment too long (18) with max (59) for codeblock 0 (p=0, b=0, r=26, c=1)
[ERROR] Failed to decode.
[ERROR] Failed to decode tile 1/1
==4116994==
==4116994== HEAP SUMMARY:
==4116994==     in use at exit: 0 bytes in 0 blocks
==4116994==   total heap usage: 245 allocs, 245 frees, 1,320,291 bytes allocated
==4116994==
==4116994== All heap blocks were freed -- no leaks are possible
==4116994==
==4116994== For counts of detected and suppressed errors, rerun with: -v
==4116994== ERROR SUMMARY: 25 errors from 2 contexts (suppressed: 0 from 0)

id:000167,sig:11,src:006079,op:havoc,rep:4:

==4130873== Memcheck, a memory error detector
==4130873== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4130873== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4130873== Command: /root/openjpeg/build/bin/opj_decompress -i id:000167,sig:11,src:006079,op:havoc,rep:4 -o /tmp/output.tif
==4130873==
===========================================
The extension of this file is incorrect.
FOUND ep:4. SHOULD BE .j2k or .jpc or .j2c
===========================================
==4130873== Invalid read of size 4
==4130873==    at 0x41ED3E: sycc422_to_rgb (color.c:201)
==4130873==    by 0x41ED3E: color_sycc_to_rgb (color.c:423)
==4130873==    by 0x40661F: main (opj_decompress.c:1481)
==4130873==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==4130873==
==4130873==
==4130873== Process terminating with default action of signal 11 (SIGSEGV)
==4130873==  Access not within mapped region at address 0x0
==4130873==    at 0x41ED3E: sycc422_to_rgb (color.c:201)
==4130873==    by 0x41ED3E: color_sycc_to_rgb (color.c:423)
==4130873==    by 0x40661F: main (opj_decompress.c:1481)
==4130873==  If you believe this happened as a result of a stack
==4130873==  overflow in your program's main thread (unlikely but
==4130873==  possible), you can try to increase the size of the
==4130873==  main thread stack using the --main-stacksize= flag.
==4130873==  The main thread stack size used in this run was 8388608.
[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
==4130873==
==4130873== HEAP SUMMARY:
==4130873==     in use at exit: 774,176 bytes in 35 blocks
==4130873==   total heap usage: 40 allocs, 5 frees, 1,825,008 bytes allocated
==4130873==
==4130873== LEAK SUMMARY:
==4130873==    definitely lost: 0 bytes in 0 blocks
==4130873==    indirectly lost: 0 bytes in 0 blocks
==4130873==      possibly lost: 0 bytes in 0 blocks
==4130873==    still reachable: 774,176 bytes in 35 blocks
==4130873==         suppressed: 0 bytes in 0 blocks
==4130873== Rerun with --leak-check=full to see details of leaked memory
==4130873==
==4130873== For counts of detected and suppressed errors, rerun with: -v
==4130873== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

@szukw000
Copy link
Contributor

@rwhitworth ,

See: #882

opj_decompress -i id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000019,sig_08,src_001098,op_flip1,pos_49 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000020,sig_06,src_001958,op_flip4,pos_149 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[1]:
[0] prec(2) sgnd(1) [1] prec(18) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000026,sig_08,src_002419,op_int32,pos_60,val_+32 -o test.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[INFO] Header of tile 1 / 1 has been read.
[INFO] Tile 1/1 has been decoded.
[INFO] Image data has been updated with tile 1.

/sources/LIB/IMAGE_FORMATS/OPENJPEG/VERSION-2.2/openjpeg2-2017-05-11-1/src/bin/common/color.c:350:color_sycc_to_rgb
CAN NOT CONVERT
imagetopng: All components shall have the same subsampling, same bit depth, same sign.
Aborting
[ERROR] Error generating png file. Outfile test.png not generated

opj_decompress -i id_000034,sig_11,src_003240,op_flip1,pos_22 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000098,sig_11,src_005411,op_havoc,rep_2 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000167,sig_11,src_006079,op_havoc,rep_4 -o test.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
ERROR -> opj_decompress: failed to decode image!

@rouault
Copy link
Collaborator

rouault commented Jul 29, 2017

Issue on id:000034,sig:11,src:003240,op:flip1,pos:2 no longer reproducible with current master

and issue on id_000167,sig_11,src_006079,op_havoc,rep_4 fixed per 94cc97c

@rouault rouault closed this as completed Jul 29, 2017
@detonin detonin added the bug label Aug 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@detonin @rouault @szukw000 @rwhitworth