Heap buffer overflow in opj_j2k_update_image_data() triggered with Ghostscript

[fumfel]

Version: 2.3.0 and recent master: cd900d9

Command to reproduce (Ghostscript): gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_hbo_update_image_data -c quit

Crashing test case (please unpack): gs_hbo_update_image_data.zip

ASAN log:

==3306==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f36ee8b4841 at pc 0x7f372b049d1a bp 0x7ffedfacc0c0 sp 0x7ffedfacb868
WRITE of size 14325121024 at 0x7f36ee8b4841 thread T0
    #0 0x7f372b049d19  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
    #1 0x55d0407dff7d in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:9192
    #2 0x55d04081a60f in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:10732
    #3 0x55d0407d1c8f in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:8096
    #4 0x55d040827500 in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:11017
    #5 0x55d040842a44 in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1604
    #6 0x55d040777a45 in decode_image base/sjpx_openjpeg.c:407
    #7 0x55d040777a45 in s_opjd_process base/sjpx_openjpeg.c:734
    #8 0x55d040b61b79 in sreadbuf base/stream.c:823
    #9 0x55d040b72a98 in s_process_read_buf base/stream.c:749
    #10 0x55d0425e167a in image_file_continue psi/zimage.c:533
    #11 0x55d0424031b8 in interp psi/interp.c:1256
    #12 0x55d0424031b8 in gs_call_interp psi/interp.c:516
    #13 0x55d042412c0d in gs_interpret psi/interp.c:473
    #14 0x55d0423afe2f in gs_main_interpret psi/imain.c:235
    #15 0x55d0423afe2f in gs_main_run_string_end psi/imain.c:658
    #16 0x55d0423afe2f in gs_main_run_string_with_length psi/imain.c:610
    #17 0x55d0423afe2f in gs_main_run_string psi/imain.c:591
    #18 0x55d0423bd0e8 in run_string psi/imainarg.c:1034
    #19 0x55d0423bd0e8 in runarg psi/imainarg.c:1024
    #20 0x55d0423c698b in argproc psi/imainarg.c:957
    #21 0x55d0423c698b in gs_main_init_with_args psi/imainarg.c:233
    #22 0x55d03fc2c249 in main psi/gs.c:95
    #23 0x7f37297dfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #24 0x55d03fc41289 in _start (XYZ/gs_asan/bin/gs+0x36a289)

0x7f36ee8b4841 is located 0 bytes to the right of 1440219201-byte region [0x7f3698b34800,0x7f36ee8b4841)
allocated by thread T0 here:
    #0 0x7f372b0c9b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55d0419499c9 in gs_heap_alloc_bytes base/gsmalloc.c:193

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19) 
Shadow bytes around the buggy address:
  0x0fe75dd0e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe75dd0e900: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0fe75dd0e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3306==ABORTING

[szukw000]

@fumfel ,
I used gs version 9.25.
winfried
gs.txt.zip

[sebras]

This was a bug in the allocator in Ghostscript, I have recently fixed this as part of bug 700056.

This is not a bug in openjpeg, so this bug can be closed.