Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Heap-buffer-overflow READ in opj_jp2_apply_pclr #1441

Merged
merged 2 commits into from
Aug 12, 2022

Conversation

sashashura
Copy link
Contributor

The issue was found while fuzzing opencv:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47342

The read overflow triggered by reading src[j] in

            for (j = 0; j < max; ++j) {
                dst[j] = src[j];
            }

The max is calculated as new_comps[pcol].w * new_comps[pcol].h, however the src = old_comps[cmp].data; which may have different w and h dimensions.

The issue was found while fuzzing opencv:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47342

The read overflow triggered by reading `src[j]` in
```cpp
            for (j = 0; j < max; ++j) {
                dst[j] = src[j];
            }
```
The max is calculated as `new_comps[pcol].w * new_comps[pcol].h`, however the `src = old_comps[cmp].data;` which may have different `w` and `h` dimensions.
@@ -1108,7 +1108,10 @@ static OPJ_BOOL opj_jp2_apply_pclr(opj_image_t *image,
pcol = cmap[i].pcol;
src = old_comps[cmp].data;
assert(src); /* verified above */
max = new_comps[pcol].w * new_comps[pcol].h;
oldmax = old_comps[cmp].w * old_comps[cmp].h;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't the fix to be just:
max = new_comps[i].w * new_comps[i].h;

Copy link
Contributor Author

@sashashura sashashura Aug 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can be... While I understand where and why it accesses out of bounds memory, my assumption about the fix can be wrong because I'm not so familiar with the code base. I have applied and tested your suggestion and the crash is gone.

@rouault rouault merged commit be95561 into uclouvain:master Aug 12, 2022
@rouault rouault added this to the 2.5.1 milestone Aug 12, 2022
@sashashura
Copy link
Contributor Author

Hi, do you have an estimate when 2.5.1 will be released? Thanks!

@rouault
Copy link
Collaborator

rouault commented Sep 1, 2022

Hi, do you have an estimate when 2.5.1 will be released? Thanks!

likely not before several months

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants