Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out-of-bounds read in opj_j2k_update_image_data and opj_tgt_reset function #704

Closed
boxerab opened this issue Jan 22, 2016 · 9 comments
Closed

Out-of-bounds read in opj_j2k_update_image_data and opj_tgt_reset function #704

boxerab opened this issue Jan 22, 2016 · 9 comments
Labels
bug Priority-Critical
Milestone
OPJ v2.2.0

Comments

@boxerab
Copy link
Contributor

boxerab commented Jan 22, 2016

http://seclists.org/oss-sec/2016/q1/128
@boxerab boxerab changed the title Out-of-bounds Read in opj_j2k_update_image_data and opj_tgt_reset function Out-of-bounds read in opj_j2k_update_image_data and opj_tgt_reset function Jan 22, 2016
@szukw000
Copy link
Contributor

It seems that both images are broken. But the openjpeg library should
realize it.

winfried
github-#704.txt

mayeut added a commit to mayeut/openjpeg that referenced this issue Jan 27, 2016
@mayeut
Fixes 1st image crash of uclouvain#704
f897c39 
Prevents color_esycc_to_rgb to be applied when different subsampling
are used.
@mayeut
Copy link
Collaborator

mayeut commented Jan 27, 2016

The crash for the second image is caused by an arithmetic overflow in pi.c
Line 374:

prci = opj_int_floordivpow2(opj_int_ceildiv(pi->x, (OPJ_INT32)(comp->dx << levelno)), (OPJ_INT32)res->pdx) - opj_int_floordivpow2(trx0, (OPJ_INT32)res->pdx);

When levelno >= 31 this overflows.
Replacing with

prci = opj_int_floordivpow2(opj_int_ceildiv64(pi->x, (OPJ_INT64)comp->dx << levelno), (OPJ_INT32)res->pdx) - opj_int_floordivpow2(trx0, (OPJ_INT32)res->pdx);

solves the issue. (opj_int_ceildiv64 does not exist in master)

There are/were multiple issues in openjpeg for levelno >= 31 (c.f. #215, #486, #394, #480, #388).
Using OPJ_UINT32 would only shift the problem to levelno>=32 (I guess levelno==32 in fact) and only for dx==1 in this specific issue.
A complete sweep of the code shall be done to track those shift by levelno & ensure that no arithmetic overflow can occur. Unfortunately, I don't have time to do this right now.

@boxerab
Copy link
Contributor Author

boxerab commented Jan 27, 2016

Why not just modify the floor and ceiling methods: eg

static INLINE OPJ_INT32 opj_int_floordivpow2(OPJ_INT32 a, OPJ_INT64 b) {
    return (OPJ_INT32)(a >> b);
}

and just change all of the casts in the code from (OPJ_INT32) to (OPJ_INT64) for the power of 2 ?

@detonin detonin added this to the OPJ v2.1.1 milestone Apr 15, 2016
@detonin
Copy link
Contributor

detonin commented Apr 18, 2016

@boxerab your proposed change is on opj_int_floordivpow2 but the issue seems to be on opj_int_ceildiv.
@mayeut instead of defining opj_int_ceildiv64, is there any objection to change current opj_int_ceildiv to opj_int_ceildiv(OPJ_INT32 a, OPJ_INT64 b) and change all occurence of opj_int_ceildiv accordingly ?

@boxerab
Copy link
Contributor Author

boxerab commented Apr 18, 2016

Sorry, no time for this at the moment.

@mayeut
Copy link
Collaborator

mayeut commented Apr 18, 2016

@detonin, changing all occurrences of opj_int_ceildiv as you suggest can be done but this will lead to performance loss on 32-bit platforms for sure.

mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 23, 2016
@mayeut
Fixes 1st image crash of uclouvain#704
af4a9d9 
Prevents color_esycc_to_rgb to be applied when different subsampling
are used.
mayeut added a commit to mayeut/openjpeg that referenced this issue Apr 25, 2016
@mayeut
Fixes 1st image crash of uclouvain#704
d26481f 
Prevents color_esycc_to_rgb to be applied when different subsampling
are used.
@mayeut mayeut modified the milestones: OPJ v2.2.0, OPJ v2.1.1 Jul 13, 2016
@boxerab boxerab closed this as completed Dec 28, 2016
@boxerab boxerab reopened this Dec 29, 2016
@rouault
Copy link
Collaborator

rouault commented Jul 30, 2017

I can't reproduce issues on the 2 images with a -fsanitize=undefined,address build. Closing

@rouault rouault closed this as completed Jul 30, 2017
@jubalh
Copy link

jubalh commented Mar 29, 2019

For the record, this was assigned CVE-2016-1923

@jubalh
Copy link

jubalh commented Mar 29, 2019

Anybody knows what exactly the fix for this was?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Priority-Critical
Projects
None yet
Milestone
OPJ v2.2.0
Development

No branches or pull requests
6 participants
@boxerab @detonin @rouault @jubalh @szukw000 @mayeut