zjlyou / openjpeg

Automatically exported from code.google.com/p/openjpeg
Other
0 stars 0 forks source link

Invalid write in opj_j2k_update_image_data #495

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
So, there appears to be a regression of sorts in r2991 ("fixed a buffer 
overflow in opj_tcd_init_decode_tile"). After that revision, the attached 
fuzzer-produced file causes opj_j2k_update_image_data to write to invalid 
memory at line 8198:
   *(l_dest_ptr++) = (OPJ_INT32) ((*(l_src_ptr++))&0xff);

The problem is basically that l_img_comp_dest->w is a very large integer, large 
enough that it causes l_line_offset_dest to become negative, and so 
"l_dest_ptr+= l_line_offset_dest" decrements l_dest_ptr and causes it to point 
to an invalid address. You can reproduce this by trying to decode the attached 
image with opj_decompress (tested on Linux x86-64). The attached patch appears 
to catch this particular testcase, but because I don't fully understand the 
underlying problem it's possible there are other ways of triggering the issue 
or that this could break very large but valid images.

Original issue reported on code.google.com by makos...@gmail.com on 26 May 2015 at 8:13

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by m.darb...@gmail.com on 27 May 2015 at 9:34

GoogleCodeExporter commented 8 years ago
This issue was updated by revision r3003.

Original comment by m.darb...@gmail.com on 27 May 2015 at 11:05

GoogleCodeExporter commented 8 years ago
This issue was closed by revision r3004.

Original comment by m.darb...@gmail.com on 27 May 2015 at 11:05