SIGILL openjpeg-2.5.0/src/lib/openjp2/dwt.c:385 in opj_idwt53_h_cas0()

[schsiung]

Expected behavior and actual behavior.

Expect
POC_openjpeg-2.5.0.tar.gz
running without signal SIGILL.

Steps to reproduce the problem.

1. ./opj_decompress -i id:000001.jp2 -o 2.pgm

[AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/build/bin # ./opj_decompress -i /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers/id:000001.jp2  -o 2.pgm

[INFO] Start to read j2k main header (385).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
Illegal instruction
[AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/build/bin # 

2. GDB info gdb ./opj_decompress

Starting program: /data/openeuler/openjpeg2/openjpeg-2.5.0/build/obj/bin/opj_decompress -i /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers/id:000001.jp2  -o 2.pgm
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

[INFO] Start to read j2k main header (385).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.

Program received signal SIGILL, Illegal instruction.
0x00007ffff7cdf290 in opj_idwt53_h_cas0 (tmp=0x627000007100, tiledp=0x7ffff6e1ff40, sn=<optimized out>, len=<optimized out>) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:385
385             s0n = s1n - ((d1c + d1n + 2) >> 2);
(gdb) bt
#0  0x00007ffff7cdf290 in opj_idwt53_h_cas0 (tmp=0x627000007100, tiledp=0x7ffff6e1ff40, sn=<optimized out>, len=<optimized out>)
    at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:385
#1  opj_idwt53_h (dwt=<optimized out>, tiledp=0x7ffff6e1ff40) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:493
#2  0x00007ffff7cdc084 in opj_dwt_decode_tile (tp=0x608000000020, tilec=<optimized out>, numres=<optimized out>) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:2124
#3  opj_dwt_decode (p_tcd=<optimized out>, tilec=<optimized out>, numres=<optimized out>) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/dwt.c:1917
#4  0x00007ffff7f53084 in opj_tcd_dwt_decode (p_tcd=0xc4e00000e45) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/tcd.c:2030
#5  opj_tcd_decode_tile (p_tcd=0xc4e00000e45, win_x0=<optimized out>, win_y0=<optimized out>, win_x1=<optimized out>, win_y1=<optimized out>, numcomps_to_decode=<optimized out>, 
    comps_indices=<optimized out>, p_src=<optimized out>, p_max_length=<optimized out>, p_tile_no=<optimized out>, p_cstr_index=<optimized out>, p_manager=<optimized out>)
    at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/tcd.c:1706
#6  0x00007ffff7d9a8c7 in opj_j2k_decode_tile (p_j2k=<optimized out>, p_tile_index=<optimized out>, p_data=<optimized out>, p_data_size=<optimized out>, p_stream=0x60c000000040, 
    p_manager=<optimized out>) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:9862
#7  0x00007ffff7daea16 in opj_j2k_decode_tiles (p_j2k=<optimized out>, p_stream=<optimized out>, p_manager=<optimized out>) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:11664
#8  0x00007ffff7d88e71 in opj_j2k_exec (p_j2k=0xc4e00000e45, p_procedure_list=0x602000000030, p_stream=0x627000007100, p_manager=0x134)
    at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:9006
#9  0x00007ffff7dac3f3 in opj_j2k_decode (p_j2k=0x613000000040, p_stream=0x134, p_image=0x604000000090, p_manager=0x14000001)
    at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/j2k.c:12010
#10 0x00007ffff7dea970 in opj_jp2_decode (jp2=0x60f000000040, p_stream=0x627000007100, p_image=0x134, p_manager=0x14000001) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/lib/openjp2/jp2.c:1607
#11 0x00005555556878b3 in main (argc=<optimized out>, argv=<optimized out>) at /data/openeuler/openjpeg2/openjpeg-2.5.0/src/bin/jp2/opj_decompress.c:1582

Operating system

[AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers # uname -a
Linux 4547ba12d0d6 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
[AFL++ 4547ba12d0d6] /data/openeuler/openjpeg2/openjpeg-2.5.0/tests/fuzzers # 

openjpeg version

2.5.0

[rouault]

I cannot reproduce with 2.5.0 nor master. Which build options did you use to build openjpeg?

[Mech0n]

I cannot reproduce with 2.5.0. but I found a undefined behavior bug.

➜  bin ./opj_decompress -i ../../../../id:000000.j2k  -o test.raw

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
1471/openjpeg-2.5.0/src/lib/openjp2/ht_dec.c:1192:13: runtime error: null pointer passed as argument 1, which is declared to never be null
[WARNING] A malformed codeblock that has more than one coding pass, but zero length for 2nd and potentially the 3rd pass in an HT codeblock.
[ERROR] Malformed HT codeblock. Invalid codeblock length values.
[ERROR] Failed to decode.
[ERROR] Failed to decode tile 1/1
ERROR -> opj_decompress: failed to decode image!