Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-use-after-free in opj_t1_decode_cblks #418

Closed
gcode-importer opened this issue Oct 21, 2014 · 11 comments
Closed

Heap-use-after-free in opj_t1_decode_cblks #418

gcode-importer opened this issue Oct 21, 2014 · 11 comments

Comments

@gcode-importer
Copy link

Originally reported on Google Code with ID 418

https://code.google.com/p/chromium/issues/detail?id=425150

Reported by detonin on 2014-10-21 12:07:28

@gcode-importer
Copy link
Author

+cc Bo Xu so that you can follow these issues on OpenJPEG side

Reported by detonin on 2014-10-21 15:24:27

@gcode-importer
Copy link
Author

Asked for pdf to be attached in chromium issue.

Reported by mayeut on 2014-10-21 18:16:33

@gcode-importer
Copy link
Author

Reported by bo_xu@foxitsoftware.com on 2014-10-21 18:18:59


- _Attachment: [signal_sigsegv_f95be2_5450_cov_1623163935_4663.pdf](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-418/comment-3/signal_sigsegv_f95be2_5450_cov_1623163935_4663.pdf)_

@gcode-importer
Copy link
Author

r2908,

Reproduced :
./bin/opj_decompress -i ../../ex/1.jp2 -o 1.bmp

[INFO] Start to read j2k main header (129).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
[INFO] Header of tile 1 / 32 has been read.
[INFO] Tile 1/32 has been decoded.
[INFO] Image data has been updated with tile 1.

WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
[INFO] Header of tile 2 / 32 has been read.
[INFO] Tile 2/32 has been decoded.
[INFO] Image data has been updated with tile 2.

WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
[INFO] Header of tile 1 / 32 has been read.
[INFO] Tile 1/32 has been decoded.
[INFO] Image data has been updated with tile 1.

WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No incltree created.
WARNING in tgt_create tree->numnodes == 0, no tree created.
WARNING: No imsbtree created.
[INFO] Header of tile 4 / 32 has been read.
[INFO] Tile 4/32 has been decoded.
[INFO] Image data has been updated with tile 4.

[INFO] Header of tile 5 / 32 has been read.
[INFO] Tile 5/32 has been decoded.
[INFO] Image data has been updated with tile 5.

[INFO] Header of tile 6 / 32 has been read.
[INFO] Tile 6/32 has been decoded.
[INFO] Image data has been updated with tile 6.

[INFO] Header of tile 7 / 32 has been read.
[INFO] Tile 7/32 has been decoded.
[INFO] Image data has been updated with tile 7.

[INFO] Header of tile 8 / 32 has been read.
[INFO] Tile 8/32 has been decoded.
[INFO] Image data has been updated with tile 8.

[INFO] Header of tile 9 / 32 has been read.
[INFO] Tile 9/32 has been decoded.
[INFO] Image data has been updated with tile 9.

[INFO] Header of tile 10 / 32 has been read.
[INFO] Tile 10/32 has been decoded.
[INFO] Image data has been updated with tile 10.

[INFO] Header of tile 11 / 32 has been read.
[INFO] Tile 11/32 has been decoded.
[INFO] Image data has been updated with tile 11.

[INFO] Header of tile 13 / 32 has been read.
[INFO] Tile 13/32 has been decoded.
[INFO] Image data has been updated with tile 13.

[INFO] Header of tile 14 / 32 has been read.
[INFO] Tile 14/32 has been decoded.
[INFO] Image data has been updated with tile 14.

[INFO] Header of tile 15 / 32 has been read.
[INFO] Tile 15/32 has been decoded.
[INFO] Image data has been updated with tile 15.

[INFO] Header of tile 16 / 32 has been read.
[INFO] Tile 16/32 has been decoded.
[INFO] Image data has been updated with tile 16.

[INFO] Header of tile 17 / 32 has been read.
[INFO] Tile 17/32 has been decoded.
[INFO] Image data has been updated with tile 17.

[INFO] Header of tile 18 / 32 has been read.
[INFO] Tile 18/32 has been decoded.
[INFO] Image data has been updated with tile 18.

[INFO] Header of tile 19 / 32 has been read.
[INFO] Tile 19/32 has been decoded.
[INFO] Image data has been updated with tile 19.

[INFO] Header of tile 20 / 32 has been read.
=================================================================
==29636==ERROR: AddressSanitizer: heap-use-after-free on address 0x01b00ce0 at pc 0x0078bcd2
bp 0xbfff4258 sp 0xbfff4254
READ of size 4 at 0x01b00ce0 thread T0
    #0 0x78bcd1 in opj_t1_decode_cblk (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x5bcd1)
    #1 0x78ae17 in opj_t1_decode_cblks (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x5ae17)
    #2 0x7a5ff9 in opj_tcd_t1_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x75ff9)
    #3 0x7a5cb0 in opj_tcd_decode_tile (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x75cb0)
    #4 0x752317 in opj_j2k_decode_tile (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x22317)
    #5 0x766a87 in opj_j2k_decode_tiles (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x36a87)
    #6 0x74e2c7 in opj_j2k_exec (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x1e2c7)
    #7 0x757db3 in opj_j2k_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x27db3)
    #8 0x76e0df in opj_jp2_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x3e0df)
    #9 0x779743 in opj_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x49743)
    #10 0xf18c in main /Users/Matt/Dev/OpenJpeg/issue398/src/bin/jp2/opj_decompress.c:821:10
    #11 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #12 0x4 (<unknown module>)

0x01b00ce0 is located 0 bytes inside of 56-byte region [0x01b00ce0,0x01b00d18)
freed by thread T0 here:
    #0 0x27313a in wrap_realloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3013a)
    #1 0x7a2fac in opj_tcd_init_decode_tile (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x72fac)
    #2 0x750527 in opj_j2k_read_tile_header (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x20527)
    #3 0x766957 in opj_j2k_decode_tiles (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x36957)
    #4 0x74e2c7 in opj_j2k_exec (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x1e2c7)
    #5 0x757db3 in opj_j2k_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x27db3)
    #6 0x76e0df in opj_jp2_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x3e0df)
    #7 0x779743 in opj_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x49743)
    #8 0xf18c in main /Users/Matt/Dev/OpenJpeg/issue398/src/bin/jp2/opj_decompress.c:821:10
    #9 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #10 0x4 (<unknown module>)

previously allocated by thread T0 here:
    #0 0x27313a in wrap_realloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3013a)
    #1 0x7a2fac in opj_tcd_init_decode_tile (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x72fac)
    #2 0x750527 in opj_j2k_read_tile_header (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x20527)
    #3 0x766957 in opj_j2k_decode_tiles (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x36957)
    #4 0x74e2c7 in opj_j2k_exec (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x1e2c7)
    #5 0x757db3 in opj_j2k_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x27db3)
    #6 0x76e0df in opj_jp2_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x3e0df)
    #7 0x779743 in opj_decode (/Users/Matt/Dev/OpenJpeg/issue398/build/bin/libopenjp2.7.dylib+0x49743)
    #8 0xf18c in main /Users/Matt/Dev/OpenJpeg/issue398/src/bin/jp2/opj_decompress.c:821:10
    #9 0x9aaf1700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #10 0x4 (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 opj_t1_decode_cblk
Shadow bytes around the buggy address:
  0x20360140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x20360150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x20360160: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x20360170: 00 00 00 04 fa fa fa fa fd fd fd fd fd fd fd fd
  0x20360180: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x20360190: fd fd fd fd fd fd fd fa fa fa fa fa[fd]fd fd fd
  0x203601a0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x203601b0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x203601c0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x203601d0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x203601e0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==29636==ABORTING

Reported by mayeut on 2014-10-21 18:42:53

@gcode-importer
Copy link
Author

Strange thing, openjpeg states tile 1 is decoded 2 times (one time instead of tile 3).

kdu_expand -i ../../ex/1.jp2 -o 1.bmp
Kakadu Core Error:
Illegal colour transform specified when image has insufficient or incompatible
colour components.

Reported by mayeut on 2014-10-21 18:45:11

@gcode-importer
Copy link
Author

Reported by mayeut on 2014-10-21 18:47:19


- _Attachment: [1.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-418/comment-6/1.jp2)_

@gcode-importer
Copy link
Author

This patch resets blocks to be reused for other tiles than first tile.
Tested against CDash & OK

We can see that tile 1 is decoded 2 times (that's what's reported). Tile 12 is missing.

./bin/opj_decompress -i ../../data/issue418/1.jp2 -o 1.bmp

[INFO] Start to read j2k main header (129).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
...
[INFO] Header of tile 1 / 32 has been read.
[INFO] Tile 1/32 has been decoded.
[INFO] Image data has been updated with tile 1.

...
[INFO] Header of tile 2 / 32 has been read.
[INFO] Tile 2/32 has been decoded.
[INFO] Image data has been updated with tile 2.

...
[INFO] Header of tile 1 / 32 has been read.
[INFO] Tile 1/32 has been decoded.
[INFO] Image data has been updated with tile 1.

...
[INFO] Header of tile 4 / 32 has been read.
[INFO] Tile 4/32 has been decoded.
[INFO] Image data has been updated with tile 4.

...

[INFO] Header of tile 11 / 32 has been read.
[INFO] Tile 11/32 has been decoded.
[INFO] Image data has been updated with tile 11.

[INFO] Header of tile 13 / 32 has been read.
[INFO] Tile 13/32 has been decoded.
[INFO] Image data has been updated with tile 13.

...

[INFO] Header of tile 31 / 32 has been read.
[INFO] Tile 31/32 has been decoded.
[INFO] Image data has been updated with tile 31.

[ERROR] Tile part length size inconsistent with stream length
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Reported by mayeut on 2014-10-21 20:37:32


- _Attachment: [issue418.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-418/comment-7/issue418.patch)_

@gcode-importer
Copy link
Author

Is this issue verified then ?

Reported by detonin on 2014-10-22 10:41:05

@gcode-importer
Copy link
Author

@antonin,

Yes, I forgot to mention that it's been tested against the whole test suite & OK 

Reported by mayeut on 2014-10-22 11:10:03

  • Status changed: Verified

@gcode-importer
Copy link
Author

This issue was closed by revision r2910.

Reported by detonin on 2014-10-22 13:16:38

  • Status changed: Fixed

@gcode-importer
Copy link
Author

Thank you all for such a quick fix!

Reported by bo_xu@foxitsoftware.com on 2014-10-22 17:17:34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants