missing range check in j2k_read_poc

RealmeIP / openjpeg

Automatically exported from code.google.com/p/openjpeg

Other

0 stars 0 forks source link

missing range check in j2k_read_poc #165

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

This concerns at least version 1.5, not sure about version 2:

The maximum number of progression order changes is limited to 32, however that 
limit is never enforced so that a broken j2k image can lead to a buffer 
overflow if e.g. the len (Lpoc) read in j2k_read_poc is larger than 290.

Original issue reported on code.google.com by zeniko on 22 Aug 2012 at 8:17

GoogleCodeExporter commented 8 years ago

Cf. http://code.google.com/p/sumatrapdf/source/detail?r=6582

Original comment by zeniko on 22 Aug 2012 at 8:22

GoogleCodeExporter commented 8 years ago

Original comment by mathieu.malaterre on 25 Feb 2014 at 3:54

Added labels: Milestone-Release2.1

GoogleCodeExporter commented 8 years ago

Would it be possible to have a test dataset for this one ?

Original comment by mathieu.malaterre on 28 Feb 2014 at 10:39

GoogleCodeExporter commented 8 years ago

There is a sentinel at line 3165 within opj_j2k_read_poc which checks:

        assert(l_current_poc_nb < 32);

no tests have triggered this, so I am closing the issue. I believe this is 
solved with current code base.

Original comment by mathieu.malaterre on 3 Mar 2014 at 11:12

Changed state: Fixed

GoogleCodeExporter commented 8 years ago

I haven't had a testcase for this through any of the fuzzing runs so far, but 
it's been fairly easy to create one (the attached file is 
nonregression/merged.jp2 with a single byte changed).

The fact that none of your files triggers the assertion implies that no sane 
file needs more than 32 POC entries. Without proper code inspection it however 
doesn't mean that no specially crafted file will.

Our fix for this issue: 
https://code.google.com/p/sumatrapdf/source/detail?r=8640

Original comment by zeniko on 5 Mar 2014 at 10:10

Attachments:

[openjpeg 165 - missing range check in j2k_read_poc.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-165/comment-5/openjpeg 165 - missing range check in j2k_read_poc.jp2)

GoogleCodeExporter commented 8 years ago

Issue 280 has been merged into this issue.

Original comment by mathieu.malaterre on 14 Mar 2014 at 2:50

GoogleCodeExporter commented 8 years ago

Thanks for the reminder (280) and the file to reproduce (makes my life so much 
easier!)

Original comment by mathieu.malaterre on 14 Mar 2014 at 2:50

GoogleCodeExporter commented 8 years ago

Original comment by mathieu.malaterre on 14 Mar 2014 at 2:50

Changed state: Started

GoogleCodeExporter commented 8 years ago

This issue was updated by revision r2742.

Original comment by mathieu.malaterre on 14 Mar 2014 at 2:55

GoogleCodeExporter commented 8 years ago

This issue was closed by revision r2743.

Original comment by mathieu.malaterre on 14 Mar 2014 at 3:01

Changed state: Fixed