search

uclouvain / openjpeg

Official repository of the OpenJPEG project
Other
971 stars 456 forks source link

Integer Overflow at j2k.c:9614 #1530

Closed headshog closed 4 months ago

headshog commented 4 months ago

Hi! I've been fuzzing openjpeg with sydr-fuzz security predicates and I found integer overflow error in j2k.c:9614.

In function opj_j2k_read_tile_header at line 9614 integer overflow occurs when value l_marker_size + 2 is subtracted from variable p_j2k->m_specific_param.m_decoder.m_sot_length and value from this variable is less than l_marker_size + 2. So here i decided just to add a checker for valid data.

Environment

How to reproduce this error

  1. Build docker container:

    sudo docker build -t oss-sydr-fuzz-openjpeg .

  2. Run docker container:

    sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-openjpeg /bin/bash

  3. Run on the following input:

     /opj_decompress_fuzzer_JP2_fuzz sydr_j2k.txt

  4. Output:

    /home/ubuntu/headshog/openjpeg_build/openjpeg/src/lib/openjp2/j2k.c:9614:64: runtime error: unsigned integer overflow: 147 - 149 cannot be represented in type 'unsigned int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/ubuntu/headshog/openjpeg_build/openjpeg/src/lib/openjp2/j2k.c:9614:64
rouault commented 4 months ago

the macos failure is unrelated and will be fixed per https://github.com/uclouvain/openjpeg/pull/1531