-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap buffer overflow read in openjpeg imagetopnm #970
Comments
@Javantea , [2]marker(0xff51) All values should be the same. The fuzzer has changed the the value for the winfried |
…er components to avoid read heap buffer overflow (#970)
During fuzzing valgrind found a heap buffer overflow read.
On line 1885 of openjpeg-2.1.2/src/bin/jp2/convert.c
imagetopnm:
v = *alpha++;
On line 8231 of openjpeg-2.1.2/src/lib/openjp2/j2k.c
opj_j2k_update_image_data:
l_img_comp_dest->data = (OPJ_INT32*) opj_calloc(l_width * l_height, sizeof(OPJ_INT32));
l_width is taken from l_img_comp_dest->w. This is not the same value used in imagetopnm to read the components.
As you can see in imagetopnm, width and height of the first field is used.
wr = (int)image->comps[0].w; hr = (int)image->comps[0].h;
The fuzzer that found this issue is open source and available here along with the file that caused the issue:
https://www.altsci.com/jrsfuzz/
This file doesn't affect opj_decompress when converting to png, bmp, raw, and pgm because they either parse the file correctly or they error:
[ERROR] Error generating png file. Outfile crashers/jp2/fuzzfile0kqh22_c.jp2.png not generated
The text was updated successfully, but these errors were encountered: