ylb11 / openjpeg

Automatically exported from code.google.com/p/openjpeg
Other
0 stars 0 forks source link

PDF crash in chrome - part0 #362

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Attached is test files and fixes for PDF file crash in chrome. They are found 
and fixed in pdfium test by Foxit.

openjpeg svn version:
r2833

test environment:
chrome build enviroment, put openjpeg into chrome/external

Original issue reported on code.google.com by bo...@foxitsoftware.com on 28 Jun 2014 at 12:57

Attachments:

GoogleCodeExporter commented 9 years ago
The title should be "PDF crash in chrome - part0"

Original comment by bo...@foxitsoftware.com on 28 Jun 2014 at 1:05

GoogleCodeExporter commented 9 years ago

Original comment by antonin on 19 Sep 2014 at 9:41

GoogleCodeExporter commented 9 years ago

Original comment by antonin on 19 Sep 2014 at 9:41

GoogleCodeExporter commented 9 years ago
r2894

./bin/opj_decompress -i ../../data/issue360/2863.jp2 -o 0.bmp

[INFO] Start to read j2k main header (129).
=================================================================
==3018==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x02903b68 at 
pc 0x00296aa6 bp 0xbffc94f8 sp 0xbffc90dc
READ of size 96613 at 0x02903b68 thread T0
    #0 0x296aa5 in __asan_memcpy (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x27aa5)
    #1 0x76f31d in j2k_read_ppm_v3 /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:3636:17
    #2 0x792e44 in opj_j2k_read_header_procedure /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7132:23
    #3 0x779bd7 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #4 0x77986d in opj_j2k_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:6719:15
    #5 0x79e08c in opj_jp2_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2310:9
    #6 0x7a4b49 in opj_read_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:391:10
    #7 0x395ef in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x65ef)
    #8 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #9 0x4 (<unknown module>)

0x02903b68 is located 0 bytes to the right of 1000-byte region 
[0x02903780,0x02903b68)
allocated by thread T0 here:
    #0 0x29f30a in wrap_calloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3030a)
    #1 0x77f272 in opj_j2k_create_decompress /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:8286:72
    #2 0x79eeb1 in opj_jp2_create /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:2549:15
    #3 0x7a4523 in opj_create_decompress /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:318:23
    #4 0x39574 in main (/Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress+0x6574)
    #5 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #6 0x4 (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x20520710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x20520750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x20520760: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x20520770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x20520780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x20520790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x205207a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x205207b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==3018==ABORTING

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 6:59

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 7:00

Attachments:

GoogleCodeExporter commented 9 years ago
./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp

==3028==ERROR: AddressSanitizer failed to allocate 0xb2003000 (-1308610560) 
bytes of LargeMmapAllocator (errno: 12)
==3028==Process memory map follows:
    0x9524f000-0x95274000   /usr/lib/libc++abi.dylib
    0xa090b000-0xa090c000   /usr/lib/libc++abi.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++abi.dylib
    0x9902b000-0x99050000   /usr/lib/system/libxpc.dylib
    0xa15b1000-0xa15b3000   /usr/lib/system/libxpc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libxpc.dylib
    0x97309000-0x97310000   /usr/lib/system/libunwind.dylib
    0xa0b03000-0xa0b04000   /usr/lib/system/libunwind.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunwind.dylib
    0x967b8000-0x967ba000   /usr/lib/system/libunc.dylib
    0xa0a69000-0xa0a6a000   /usr/lib/system/libunc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libunc.dylib
    0x910e6000-0x910e8000   /usr/lib/system/libsystem_sandbox.dylib
    0xa03b2000-0xa03b3000   /usr/lib/system/libsystem_sandbox.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_sandbox.dylib
    0x9bb6e000-0x9bb76000   /usr/lib/system/libsystem_pthread.dylib
    0xa187c000-0xa187e000   /usr/lib/system/libsystem_pthread.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_pthread.dylib
    0x944d5000-0x944db000   /usr/lib/system/libsystem_platform.dylib
    0xa082f000-0xa0830000   /usr/lib/system/libsystem_platform.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_platform.dylib
    0x904c8000-0x904d2000   /usr/lib/system/libsystem_notify.dylib
    0xa026e000-0xa026f000   /usr/lib/system/libsystem_notify.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_notify.dylib
    0x930c7000-0x930f3000   /usr/lib/system/libsystem_network.dylib
    0xa06e6000-0xa06e8000   /usr/lib/system/libsystem_network.dylib
    0xa06e8000-0xa06e9000   /usr/lib/system/libsystem_network.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_network.dylib
    0x93178000-0x93191000   /usr/lib/system/libsystem_malloc.dylib
    0xa06fb000-0xa06fc000   /usr/lib/system/libsystem_malloc.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_malloc.dylib
    0x982f8000-0x9832a000   /usr/lib/system/libsystem_m.dylib
    0xa14a3000-0xa14a4000   /usr/lib/system/libsystem_m.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_m.dylib
    0x9ba7e000-0x9ba9c000   /usr/lib/system/libsystem_kernel.dylib
    0xa186d000-0xa186f000   /usr/lib/system/libsystem_kernel.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_kernel.dylib
    0x9bcf4000-0x9bd1d000   /usr/lib/system/libsystem_info.dylib
    0xa18a0000-0xa18a2000   /usr/lib/system/libsystem_info.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_info.dylib
    0x9a444000-0x9a44d000   /usr/lib/system/libsystem_dnssd.dylib
    0xa1686000-0xa1687000   /usr/lib/system/libsystem_dnssd.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_dnssd.dylib
    0x998d5000-0x998d8000   /usr/lib/system/libsystem_configuration.dylib
    0xa160d000-0xa160e000   /usr/lib/system/libsystem_configuration.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_configuration.dylib
    0x90587000-0x9061a000   /usr/lib/system/libsystem_c.dylib
    0xa0274000-0xa027b000   /usr/lib/system/libsystem_c.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_c.dylib
    0x95154000-0x95156000   /usr/lib/system/libsystem_blocks.dylib
    0xa08f9000-0xa08fa000   /usr/lib/system/libsystem_blocks.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_blocks.dylib
    0x930a9000-0x930bc000   /usr/lib/system/libsystem_asl.dylib
    0xa06e3000-0xa06e4000   /usr/lib/system/libsystem_asl.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libsystem_asl.dylib
    0x95432000-0x95434000   /usr/lib/system/libremovefile.dylib
    0xa093c000-0xa093d000   /usr/lib/system/libremovefile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libremovefile.dylib
    0x9ba9c000-0x9ba9f000   /usr/lib/system/libquarantine.dylib
    0xa186f000-0xa1870000   /usr/lib/system/libquarantine.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libquarantine.dylib
    0x97681000-0x97686000   /usr/lib/system/libmacho.dylib
    0xa1374000-0xa1375000   /usr/lib/system/libmacho.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libmacho.dylib
    0x98f2c000-0x98f35000   /usr/lib/system/liblaunch.dylib
    0xa1596000-0xa1597000   /usr/lib/system/liblaunch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/liblaunch.dylib
    0x96d85000-0x96d86000   /usr/lib/system/libkeymgr.dylib
    0xa0ad7000-0xa0ad8000   /usr/lib/system/libkeymgr.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libkeymgr.dylib
    0x9aaee000-0x9aaf2000   /usr/lib/system/libdyld.dylib
    0xa173f000-0xa1740000   /usr/lib/system/libdyld.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdyld.dylib
    0x930f5000-0x9310e000   /usr/lib/system/libdispatch.dylib
    0xa06ea000-0xa06ee000   /usr/lib/system/libdispatch.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libdispatch.dylib
    0x97688000-0x976d9000   /usr/lib/system/libcorecrypto.dylib
    0xa1376000-0xa1379000   /usr/lib/system/libcorecrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcorecrypto.dylib
    0x9b4de000-0x9b4e7000   /usr/lib/system/libcopyfile.dylib
    0xa1814000-0xa1815000   /usr/lib/system/libcopyfile.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcopyfile.dylib
    0x9c0c3000-0x9c0c9000   /usr/lib/system/libcompiler_rt.dylib
    0xa18ce000-0xa18d0000   /usr/lib/system/libcompiler_rt.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcompiler_rt.dylib
    0x90008000-0x90014000   /usr/lib/system/libcommonCrypto.dylib
    0xa0252000-0xa0253000   /usr/lib/system/libcommonCrypto.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcommonCrypto.dylib
    0x9c1ad000-0x9c1b2000   /usr/lib/system/libcache.dylib
    0xa18e2000-0xa18e3000   /usr/lib/system/libcache.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/system/libcache.dylib
    0x9a905000-0x9a95b000   /usr/lib/libc++.1.dylib
    0xa170e000-0xa1714000   /usr/lib/libc++.1.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libc++.1.dylib
    0x930f3000-0x930f5000   /usr/lib/libSystem.B.dylib
    0xa06e9000-0xa06ea000   /usr/lib/libSystem.B.dylib
    0xa59fd000-0xa8d4e000   /usr/lib/libSystem.B.dylib
    0x0081f000-0x008a9000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x008a9000-0x008b0000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x008b0000-0x008ca000   /Users/Matt/Dev/OpenJpeg/issue391/build/bin/libopenjp2.7.dylib
    0x00332000-0x0038f000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x0038f000-0x007e8000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x007e8000-0x0081c000   /Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
    0x000f5000-0x000f6000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x000f6000-0x002c2000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x002c2000-0x002dd000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
    0x002dd000-0x0032f000   /Users/Matt/Dev/OpenJpeg/issue391/build/./bin/opj_decompress
==3028==End of process memory map.
==3028==AddressSanitizer CHECK failed: 
/private/tmp/llvm-release/final/llvm.src/projects/compiler-rt/lib/sanitizer_comm
on/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x36c227 in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3a227)
    #1 0x3706a3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3e6a3)

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 7:02

GoogleCodeExporter commented 9 years ago
kdu_expand  -i ../../data/issue360/2863.jp2 -o 0.bmp
Kakadu Core Error:
Main code-stream header appears corrupt!

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 7:52

GoogleCodeExporter commented 9 years ago
This patch from bo_xu fixes error for 2984.jp2

./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp

[ERROR] invalid box size -1308622828 (66747970)
ERROR -> opj_decompress: failed to read the header

kdu_expand -i ../../data/issue360/2894.jp2 -o 0.bmp
Error in Kakadu File Format Support:
JP2-family data source contains a malformed file type box.

Original comment by m.darb...@gmail.com on 3 Oct 2014 at 7:56

Attachments:

GoogleCodeExporter commented 9 years ago
This patch makes the following tests fail :
105:ETS-JP2-file8.jp2-decode [ERROR] invalid box size 910 (786d6c20)
106:ETS-JP2-file8.jp2-compare2ref
107:NR-JP2-file8.jp2-compare2base
582:NR-DEC-text_GBR.jp2-29-decode [ERROR] invalid box size 655360 (883)
583:NR-DEC-text_GBR.jp2-29-decode-md5
593:NR-DEC-mem-b2b86b74-2753.jp2-35-decode [ERROR] invalid box size 655360 (64d)
594:NR-DEC-mem-b2b86b74-2753.jp2-35-decode-md5
603:NR-DEC-issue206_image-000.jp2-42-decode [ERROR] invalid box size 655360 
(5cc)
604:NR-DEC-issue206_image-000.jp2-42-decode-md5
629:NR-DEC-issue254.jp2-65-decode [ERROR] invalid box size 655360 (3bd8)
637:NR-DEC-issue208.jp2-69-decode [ERROR] invalid box size 655360 (68)
638:NR-DEC-issue208.jp2-69-decode-md5

Original comment by m.darb...@gmail.com on 5 Oct 2014 at 3:35

GoogleCodeExporter commented 9 years ago
This patch allow file8 to decode properly.

After analysis, the other files only decode properly before the patch because 
it's the last box & box is skipped (no handler). If skip is modified to check 
number of byte skipped falls in file size range then it fails :
static OPJ_OFF_T opj_skip_from_file (OPJ_OFF_T p_nb_bytes, FILE * p_user_data)
{
    if (p_nb_bytes > 0) {
        OPJ_BYTE l_byte;
        if (OPJ_FSEEK(p_user_data,p_nb_bytes-1,SEEK_CUR)) {
            return -1;
        }
        if (opj_read_from_file(&l_byte, 1, p_user_data) != 1) {
            return -1;
        }
    }

    return p_nb_bytes;
}
Are those some special kind of boxes ?

Original comment by m.darb...@gmail.com on 5 Oct 2014 at 5:05

Attachments:

GoogleCodeExporter commented 9 years ago
This patch only does the check if a handler exists.
Before trying to reallocate data.

It should be OK to apply. CTest running.

Original comment by m.darb...@gmail.com on 5 Oct 2014 at 5:57

Attachments:

GoogleCodeExporter commented 9 years ago
OK in CDash

./bin/opj_decompress -i ../../data/issue360/2866.jp2 -o 0.bmp

[ERROR] Invalid box size -738197484 for box 'ftyp'. Need -738197492 bytes, 602 
bytes remaining 
ERROR -> opj_decompress: failed to read the header

./bin/opj_decompress -i ../../data/issue360/2894.jp2 -o 0.bmp

[ERROR] Invalid box size -1308622828 for box 'ftyp'. Need -1308622836 bytes, 
605 bytes remaining 
ERROR -> opj_decompress: failed to read the header

Issue remaining on 2863.jp2

Original comment by m.darb...@gmail.com on 5 Oct 2014 at 6:49

GoogleCodeExporter commented 9 years ago
This patch corrects the issue remaining. OK in CDash

./bin/opj_decompress -i ../../data/issue360/2863.jp2 -o 0.bmp

[INFO] Start to read j2k main header (129).
[ERROR] Error reading PPM marker
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

Original comment by m.darb...@gmail.com on 5 Oct 2014 at 9:00

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by m.darb...@gmail.com on 6 Oct 2014 at 11:44

GoogleCodeExporter commented 9 years ago
Issue 360 has been merged into this issue.

Original comment by m.darb...@gmail.com on 6 Oct 2014 at 11:49

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r2896.

Original comment by antonin on 6 Oct 2014 at 9:05