security issue #360

gcode-importer · 2014-06-20T08:16:35Z

Originally reported on Google Code with ID 360

What steps will reproduce the problem?
test environment:chrome build enviroment, put openjpeg into chrome/external

What is the expected output? What do you see instead?
openjpeg  crashed!!!

What version of the product are you using? On what operating system?
openjpeg svn version r2833， linux

Please provide any additional information below.
here is the stack:
#0 0x4f2d89 in __asan_memcpy /home/xuwei/llvm/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:372
    #1 0x79f1e8 in j2k_read_ppm_v3 libopenjpeg/src/../libopenjpeg20/j2k.c:3649
    #2 0x7b0755 in opj_j2k_read_header_procedure libopenjpeg/src/../libopenjpeg20/j2k.c:6988
    #3 0x7a3bcd in opj_j2k_exec libopenjpeg/src/../libopenjpeg20/j2k.c:7043
    #4 0x7a394b in opj_j2k_read_header libopenjpeg/src/../libopenjpeg20/j2k.c:6575
    #5 0x7b7b80 in opj_jp2_read_header libopenjpeg/src/../libopenjpeg20/jp2.c:2342
    #6 0x71d9b7 in opj_read_header libopenjpeg/src/../libopenjpeg20/openjpeg.c:392

I tried to fix this issue like this:
jp2.c->line:1877, in function "opj_jp2_read_header_procedure"

   else if (box.length < l_nb_bytes_read) 
-> 
   else if (box.length < l_nb_bytes_read || box.length > opj_stream_get_number_byte_left(stream))

j2k.c->line:3656, in function "j2k_read_ppm_v3"
if (p_header_size)
                {
                        opj_read_bytes(p_header_data,&l_N_ppm,4);               /*
N_ppm^i */
                        p_header_data+=4;
                        p_header_size-=4;
                }

->

if (p_header_size)
                {
            if (p_header_size < 4) return OPJ_FALSE;    // new added !!!
                        opj_read_bytes(p_header_data,&l_N_ppm,4);               /*
N_ppm^i */
                        p_header_data+=4;
                        p_header_size-=4;
                }


then, openjpeg didn't crash any more. But i don't know whether the fix is appropriate
or not

Reported by xiaochuan.liu19880512 on 2014-06-20 08:16:35

- _Attachment: [issue1-fuzz-asan_heap-uaf_7b68a2_2858_4845.pdf.zip](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-360/comment-0/issue1-fuzz-asan_heap-uaf_7b68a2_2858_4845.pdf.zip)_

The text was updated successfully, but these errors were encountered:

gcode-importer · 2014-10-06T11:49:05Z

Reported by mayeut on 2014-10-06 11:49:05

Status changed: Duplicate
Merged into: PDF crash in chrome - part0 #362

gcode-importer added bug Priority-Medium labels Jun 11, 2015

gcode-importer self-assigned this Jun 11, 2015

gcode-importer closed this as completed Jun 11, 2015

detonin removed the duplicate label Jul 1, 2016

detonin unassigned gcode-importer Jul 1, 2016

detonin added the duplicate label Jul 1, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security issue #360

security issue #360

gcode-importer commented Jun 20, 2014

gcode-importer commented Oct 6, 2014

security issue #360

security issue #360

Comments

gcode-importer commented Jun 20, 2014

gcode-importer commented Oct 6, 2014