search

xinxinlx / openjpeg

Automatically exported from code.google.com/p/openjpeg
Other
0 stars 0 forks source link

security issue #360

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
test environment:chrome build enviroment, put openjpeg into chrome/external

What is the expected output? What do you see instead?
openjpeg  crashed!!!

What version of the product are you using? On what operating system?
openjpeg svn version r2833, linux

Please provide any additional information below.
here is the stack:
#0 0x4f2d89 in __asan_memcpy 
/home/xuwei/llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:372
    #1 0x79f1e8 in j2k_read_ppm_v3 libopenjpeg/src/../libopenjpeg20/j2k.c:3649
    #2 0x7b0755 in opj_j2k_read_header_procedure libopenjpeg/src/../libopenjpeg20/j2k.c:6988
    #3 0x7a3bcd in opj_j2k_exec libopenjpeg/src/../libopenjpeg20/j2k.c:7043
    #4 0x7a394b in opj_j2k_read_header libopenjpeg/src/../libopenjpeg20/j2k.c:6575
    #5 0x7b7b80 in opj_jp2_read_header libopenjpeg/src/../libopenjpeg20/jp2.c:2342
    #6 0x71d9b7 in opj_read_header libopenjpeg/src/../libopenjpeg20/openjpeg.c:392

I tried to fix this issue like this:
jp2.c->line:1877, in function "opj_jp2_read_header_procedure"

   else if (box.length < l_nb_bytes_read) 
-> 
   else if (box.length < l_nb_bytes_read || box.length > opj_stream_get_number_byte_left(stream))

j2k.c->line:3656, in function "j2k_read_ppm_v3"
if (p_header_size)
                {
                        opj_read_bytes(p_header_data,&l_N_ppm,4);               /* N_ppm^i */
                        p_header_data+=4;
                        p_header_size-=4;
                }

->

if (p_header_size)
                {
            if (p_header_size < 4) return OPJ_FALSE;    // new added !!!
                        opj_read_bytes(p_header_data,&l_N_ppm,4);               /* N_ppm^i */
                        p_header_data+=4;
                        p_header_size-=4;
                }

then, openjpeg didn't crash any more. But i don't know whether the fix is 
appropriate or not

Original issue reported on code.google.com by xiaochua...@gmail.com on 20 Jun 2014 at 8:16

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by m.darb...@gmail.com on 6 Oct 2014 at 11:49