xuewend / openjpeg

Automatically exported from code.google.com/p/openjpeg
Other
0 stars 0 forks source link

Heap-buffer-overflow in opj_dwt_decode #486

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Run Opj_decompress with the attached as input

What is the expected output? What do you see instead?
In ASAN environment, it triggers Heap-buffer-overflow in opj_dwt_decode.

What version of the product are you using? On what operating system?
OpenJpeg revision 2997. Ubuntu 64 bits and Windows 7.

Please provide any additional information below.
The original issue was raised in  
https://code.google.com/p/chromium/issues/list. It's issue 457480.

If there is no ASAN environment, we still can find this issue with debugging 
mode. Please input repro.jp2 to run Opj_decompress. 

Set two breaking points in the following two functions to check the address. we 
can find h.mem points to 4 bytes memory. But bi points to the memory out of the 
allocated range. It causes Heap-buffer-overflow when *bi is assigned to some 
values.

OPJ_BOOL opj_dwt_decode_tile(opj_tcd_tilecomp_t* tilec, OPJ_UINT32 numres, 
DWT1DFN dwt_1D) {

        ...
    h.mem = (OPJ_INT32*)
    opj_aligned_malloc(opj_dwt_max_resolution(tr, numres) * sizeof(OPJ_INT32));
        ...
}

void opj_dwt_interleave_h(opj_dwt_t* h, OPJ_INT32 *a) {
    ...
    bi  = h->mem + 1 - h->cas;
    ...
} 

Original issue reported on code.google.com by jun_f...@foxitsoftware.com on 17 Apr 2015 at 11:19

Attachments: