Division-by-zero vulnerabilities in the function pi_next_pcrl, pi_next_cprl and pi_next_rpcl in src/lib/openjp3d/pi.c

[YangY-Xiao]

Function pi_next_pcrl, pi_next_cprl and pi_next_rpcl have the division-by-zero vulnerabilities in src/lib/openjp3d/pi.c.

static bool pi_next_pcrl(opj_pi_iterator_t * pi)
{
    ...
                        if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                (trx0 << levelnox) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
                                (try0 << levelnoy) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
                                (trz0 << levelnoz) % (1 << rpx)))) {
                            continue;
                        }
    ...
}

static bool pi_next_rpcl(opj_pi_iterator_t * pi)
{
    ...
                        if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                (trx0 << levelnox) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
                                (try0 << levelnoy) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
                                (trz0 << levelnoz) % (1 << rpx)))) {
                            continue;
                        }
    ...
}

static bool pi_next_cprl(opj_pi_iterator_t * pi)
{
    ...
                        if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                (trx0 << levelnox) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
                                (try0 << levelnoy) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
                                (trz0 << levelnoz) % (1 << rpx)))) {
                            continue;
                        }
    ...
}

This issue is same with #731, #732, #777, #778, #779, #780.
And the patch should be like the patch for #731 and so on.

d27ccf0: patch for #731

 +                    /* To avoid divisions by zero / undefined behaviour on shift */
 +                    /* in below tests */
 +                    if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
 +                            rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
 +                        continue;
 +                    }
 +

[kbabioch]

CVE-2018-14423 has been assigned to this.

[hlef]

This bug report can be closed, issue has been fixed in bd88611.