search

uclouvain / openjpeg

Official repository of the OpenJPEG project
Other
970 stars 455 forks source link

SIGILL openjpeg-2.5.0/src/lib/openjp2/dwt.c:385 in opj_idwt53_h_cas0() #1501

Open schsiung opened 8 months ago

schsiung commented 8 months ago

Expected behavior and actual behavior.

Expect POC_openjpeg-2.5.0.tar.gz running without signal SIGILL.

Steps to reproduce the problem.

  1. ./opj_decompress -i id:000001.jp2 -o 2.pgm 
    
[AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/build/bin # ./opj_decompress -i /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers/id:000001.jp2  -o 2.pgm

[INFO] Start to read j2k main header (385). [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image [INFO] Header of tile 1 / 1 has been read. Illegal instruction [AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/build/bin # 


2.  GDB info  `gdb  ./opj_decompress`

Starting program: /data/openeuler/openjpeg2/openjpeg-2.5.0/build/obj/bin/opj_decompress -i /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers/id:000001.jp2 -o 2.pgm [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

[INFO] Start to read j2k main header (385). [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image [INFO] Header of tile 1 / 1 has been read.

Program received signal SIGILL, Illegal instruction. 0x00007ffff7cdf290 in opj_idwt53_h_cas0 (tmp=0x627000007100, tiledp=0x7ffff6e1ff40, sn=, len=) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:385 385 s0n = s1n - ((d1c + d1n + 2) >> 2); (gdb) bt

0 0x00007ffff7cdf290 in opj_idwt53_h_cas0 (tmp=0x627000007100, tiledp=0x7ffff6e1ff40, sn=, len=)

at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:385

1 opj_idwt53_h (dwt=, tiledp=0x7ffff6e1ff40) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:493

2 0x00007ffff7cdc084 in opj_dwt_decode_tile (tp=0x608000000020, tilec=, numres=) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:2124

3 opj_dwt_decode (p_tcd=, tilec=, numres=) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:1917

4 0x00007ffff7f53084 in opj_tcd_dwt_decode (p_tcd=0xc4e00000e45) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/tcd.c:2030

5 opj_tcd_decode_tile (p_tcd=0xc4e00000e45, win_x0=, win_y0=, win_x1=, win_y1=, numcomps_to_decode=,

comps_indices=<optimized out>, p_src=<optimized out>, p_max_length=<optimized out>, p_tile_no=<optimized out>, p_cstr_index=<optimized out>, p_manager=<optimized out>)
at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/tcd.c:1706

6 0x00007ffff7d9a8c7 in opj_j2k_decode_tile (p_j2k=, p_tile_index=, p_data=, p_data_size=, p_stream=0x60c000000040,

p_manager=<optimized out>) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:9862

7 0x00007ffff7daea16 in opj_j2k_decode_tiles (p_j2k=, p_stream=, p_manager=) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:11664

8 0x00007ffff7d88e71 in opj_j2k_exec (p_j2k=0xc4e00000e45, p_procedure_list=0x602000000030, p_stream=0x627000007100, p_manager=0x134)

at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:9006

9 0x00007ffff7dac3f3 in opj_j2k_decode (p_j2k=0x613000000040, p_stream=0x134, p_image=0x604000000090, p_manager=0x14000001)

at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:12010

10 0x00007ffff7dea970 in opj_jp2_decode (jp2=0x60f000000040, p_stream=0x627000007100, p_image=0x134, p_manager=0x14000001) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/jp2.c:1607

11 0x00005555556878b3 in main (argc=, argv=) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/bin/jp2/opj_decompress.c:1582


## Operating system

[AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers # uname -a Linux 4547ba12d0d6 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux [AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers # 



## openjpeg version

2.5.0
rouault commented 7 months ago

I cannot reproduce with 2.5.0 nor master. Which build options did you use to build openjpeg?

Mech0n commented 2 weeks ago

I cannot reproduce with 2.5.0. but I found a undefined behavior bug.

➜  bin ./opj_decompress -i ../../../../id:000000.j2k  -o test.raw

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
1471/openjpeg-2.5.0/src/lib/openjp2/ht_dec.c:1192:13: runtime error: null pointer passed as argument 1, which is declared to never be null
[WARNING] A malformed codeblock that has more than one coding pass, but zero length for 2nd and potentially the 3rd pass in an HT codeblock.
[ERROR] Malformed HT codeblock. Invalid codeblock length values.
[ERROR] Failed to decode.
[ERROR] Failed to decode tile 1/1
ERROR -> opj_decompress: failed to decode image!