Double free in j2k_read_ppm_v3 parsing ((presumably invalid) image.

Hi. I thought I'd reported this but don't appear to have, so apologies if this 
is a duplicate. There's a double-free in j2k_read_ppm_v3 when trying to decode 
the attached fuzzer-produced file. It calls realloc() with a zero size and on 
Linux with glibc, that causes realloc to free the buffer and return NULL. The 
code in j2k_read_ppm_v3 then interprets this as realloc failing because it 
couldn't allocate any memory and tries to free the buffer again, causing a 
crash. It's not exploitable for anything beyond that but could be a little 
annoying.

Tested with svn r3004 on Linux x86-64:

==12952== Command: bin/opj_decompress -i 
openjpeg-svn-id000023svn-double-free-j2k_read_ppm_v3.jp2 -o test.raw
==12952== 

[INFO] Start to read j2k main header (85).
==12952== Invalid free() / delete / delete[] / realloc()
==12952==    at 0x4C2D53B: free (vg_replace_malloc.c:473)
==12952==    by 0x4E4A53B: j2k_read_ppm_v3 (j2k.c:3759)
==12952==    by 0x4E4B119: opj_j2k_read_header_procedure (j2k.c:7250)
==12952==    by 0x4E48588: opj_j2k_exec (j2k.c:7318)
==12952==    by 0x4E4CD98: opj_j2k_read_header (j2k.c:6813)
==12952==    by 0x10B71A: main (opj_decompress.c:1253)
==12952==  Address 0x65e1b80 is 0 bytes after a block of size 0 free'd
==12952==    at 0x4C2D53B: free (vg_replace_malloc.c:473)
==12952==    by 0x4C2E799: realloc (vg_replace_malloc.c:692)
==12952==    by 0x4E4A2C1: j2k_read_ppm_v3 (j2k.c:3733)
==12952==    by 0x4E4B119: opj_j2k_read_header_procedure (j2k.c:7250)
==12952==    by 0x4E48588: opj_j2k_exec (j2k.c:7318)
==12952==    by 0x4E4CD98: opj_j2k_read_header (j2k.c:6813)
==12952==    by 0x10B71A: main (opj_decompress.c:1253)

Original issue reported on code.google.com by makos...@gmail.com on 28 May 2015 at 9:45

Attachments:

openjpeg-svn-id000023svn-double-free-j2k_read_ppm_v3.jp2

dawnminghuang / openjpeg

Double free in j2k_read_ppm_v3 parsing ((presumably invalid) image. #496