Heap-use-after-free in opj_t1_decode_cblks

[gcode-importer]

Originally reported on Google Code with ID 398

issue 414504: Heap-use-after-free in opj_t1_decode_cblks
    http://code.google.com/p/chromium/issues/detail?id=414504

Reported by detonin on 2014-09-17 09:11:36

[gcode-importer]

Reported by detonin on 2014-09-17 09:17:09

• Labels added: OpjVersion-2.x

[gcode-importer]

Reproduced on trunk r2885

./bin/opj_decompress -i ../../data/issue398/0.jp2 -o 0.bmp

[INFO] Start to read j2k main header (119).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 0 / 8 has been read.
[INFO] Tile 1/9 has been decoded.
[INFO] Image data has been updated with tile 1.

[INFO] Header of tile 1 / 8 has been read.
[INFO] Tile 2/9 has been decoded.
[INFO] Image data has been updated with tile 2.

[INFO] Header of tile 2 / 8 has been read.
[INFO] Tile 3/9 has been decoded.
[INFO] Image data has been updated with tile 3.

[INFO] Header of tile 3 / 8 has been read.
[INFO] Tile 4/9 has been decoded.
[INFO] Image data has been updated with tile 4.

[INFO] Header of tile 4 / 8 has been read.
=================================================================
==33711==ERROR: AddressSanitizer: heap-use-after-free on address 0x03302a30 at pc 0x008634f2
bp 0xbff1c238 sp 0xbff1c234
READ of size 4 at 0x03302a30 thread T0
    #0 0x8634f1 in opj_t1_decode_cblk /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/t1.c:1404:4
    #1 0x862637 in opj_t1_decode_cblks /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/t1.c:1289:38
    #2 0x87d389 in opj_tcd_t1_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1513:34
    #3 0x87d040 in opj_tcd_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1232:20
    #4 0x829e17 in opj_j2k_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7796:15
    #5 0x83e597 in opj_j2k_decode_tiles /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9305:23
    #6 0x825f27 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #7 0x82f8b3 in opj_j2k_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9496:15
    #8 0x845b7f in opj_jp2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1300:8
    #9 0x850f63 in opj_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:412:10
    #10 0xe686c in main /Users/Matt/Dev/OpenJpeg/issue391/src/bin/jp2/opj_decompress.c:821:10
    #11 0x94511700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #12 0x4 (<unknown module>)

0x03302a30 is located 0 bytes inside of 112-byte region [0x03302a30,0x03302aa0)
freed by thread T0 here:
    #0 0x34b13a in wrap_realloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3013a)
    #1 0x87a33c in opj_tcd_init_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1001:1
    #2 0x8280f7 in opj_j2k_read_tile_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7747:15
    #3 0x83e467 in opj_j2k_decode_tiles /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9277:23
    #4 0x825f27 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #5 0x82f8b3 in opj_j2k_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9496:15
    #6 0x845b7f in opj_jp2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1300:8
    #7 0x850f63 in opj_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:412:10
    #8 0xe686c in main /Users/Matt/Dev/OpenJpeg/issue391/src/bin/jp2/opj_decompress.c:821:10
    #9 0x94511700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #10 0x4 (<unknown module>)

previously allocated by thread T0 here:
    #0 0x34b13a in wrap_realloc (/Users/Matt/Dev/llvm-clang-3.5.0-macosx-apple-darwin/lib/clang/3.5.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x3013a)
    #1 0x87a33c in opj_tcd_init_decode_tile /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/tcd.c:1001:1
    #2 0x8280f7 in opj_j2k_read_tile_header /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7747:15
    #3 0x83e467 in opj_j2k_decode_tiles /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9277:23
    #4 0x825f27 in opj_j2k_exec /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:7187:41
    #5 0x82f8b3 in opj_j2k_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/j2k.c:9496:15
    #6 0x845b7f in opj_jp2_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/jp2.c:1300:8
    #7 0x850f63 in opj_decode /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/openjpeg.c:412:10
    #8 0xe686c in main /Users/Matt/Dev/OpenJpeg/issue391/src/bin/jp2/opj_decompress.c:821:10
    #9 0x94511700 in start (/usr/lib/system/libdyld.dylib+0x3700)
    #10 0x4 (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free /Users/Matt/Dev/OpenJpeg/issue391/src/lib/openjp2/t1.c:1404
opj_t1_decode_cblk
Shadow bytes around the buggy address:
  0x206604f0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x20660500: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x20660510: fd fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x20660520: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x20660530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
=>0x20660540: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
  0x20660550: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd
  0x20660560: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x20660570: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x20660580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x20660590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==33711==ABORTING

Reported by mayeut on 2014-09-20 13:25:47

---

- _Attachment: [0.jp2](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-398/comment-2/0.jp2)_

[gcode-importer]

+ cc Bo Xu from Foxit 

... so that you can follow what happens on these issues.

Reported by detonin on 2014-09-28 21:18:38

[gcode-importer]

kdu_expand -i ../../data/issue398/0.jp2 -o 0.bmp
Kakadu Core Error:
Illegal component index supplied in call to `kdu_codesteram::get_dims'.

Reported by mayeut on 2014-09-30 19:52:00

[gcode-importer]

Should be fixed by commit r2901 (Issue 413 / Issue 400)

ASan build r2901 (x86, MacOs - same as comment #2) :
./bin/opj_decompress -i ../../data/issue398/0.jp2 -o 0.bmp

[INFO] Start to read j2k main header (119).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 9 has been read.
[INFO] Tile 1/9 has been decoded.
[INFO] Image data has been updated with tile 1.

[INFO] Header of tile 2 / 9 has been read.
[INFO] Tile 2/9 has been decoded.
[INFO] Image data has been updated with tile 2.

[INFO] Header of tile 3 / 9 has been read.
[INFO] Tile 3/9 has been decoded.
[INFO] Image data has been updated with tile 3.

[INFO] Header of tile 4 / 9 has been read.
[INFO] Tile 4/9 has been decoded.
[INFO] Image data has been updated with tile 4.

[ERROR] Unknown progression order in COD marker
[INFO] Header of tile 5 / 9 has been read.
[ERROR] Failed to decode.
[ERROR] Failed to decode tile 5/9
[ERROR] Failed to decode the codestream in the JP2 file
ERROR -> opj_decompress: failed to decode image!

Reported by mayeut on 2014-10-21 18:37:54

[gcode-importer]

@bo : do you confirm it's fixed on your side ?

Reported by detonin on 2014-10-22 10:43:53

[gcode-importer]

Yes, this is fixed in pdfium, thanks!

Reported by bo_xu@foxitsoftware.com on 2014-10-22 17:01:16

[gcode-importer]

Reported by detonin on 2014-10-22 21:01:02

• Status changed: Fixed