global-buffer-overflow src/lib/openjp2/t1.c:1146 opj_t1_getwmsedec

[gcode-importer]

Originally reported on Google Code with ID 436

Trying to add data from issue 416 to test suite, I ran into this. Bug was already present,
it's not a regression from Issue 416.

Compression uses MCT but on >3 components, t1 tries to read norm of MCT for channels
after the first 3.
For 4 channel data, reversible transform, the norm read is the one of 1st component
irreversible transform (probably depending on compiler). This nevertheless generates
the following ASan error.

bin/opj_compress -i ../../data/input/nonregression/basn6a08.png -o 0.jp2 -n 5

[INFO] tile number 1 / 1
=================================================================
==31115==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00010c293598
at pc 0x00010c26e58c bp 0x7fff548f1680 sp 0x7fff548f1678
READ of size 8 at 0x00010c293598 thread T0
    #0 0x10c26e58b in opj_t1_getwmsedec /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1146:3
    #1 0x10c26ce87 in opj_t1_encode_cblk /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1629:17
    #2 0x10c26c519 in opj_t1_encode_cblks /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1542:7
    #3 0x10c28396e in opj_tcd_t1_encode /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/tcd.c:1983:15
    #4 0x10c282d6e in opj_tcd_encode_tile /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/tcd.c:1176:23
    #5 0x10c245f2c in opj_j2k_write_sod /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:4326:15
    #6 0x10c2450d1 in opj_j2k_write_first_tile_part /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:10237:15
    #7 0x10c23c7e7 in opj_j2k_post_write_tile /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:10077:15
    #8 0x10c23b6cd in opj_j2k_encode /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/j2k.c:9837:23
    #9 0x10b30a73d in main /Users/Matt/Dev/OpenJpeg/issue/src/bin/jp2/opj_compress.c:1801:36
    #10 0x7fff8f0735c8 in start (/usr/lib/system/libdyld.dylib+0x35c8)
    #11 0x6 (<unknown module>)

0x00010c293598 is located 40 bytes to the left of global variable 'opj_mct_norms_real'
defined in '/Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/mct.c:54:26' (0x10c2935c0)
of size 24
0x00010c293598 is located 0 bytes to the right of global variable 'opj_mct_norms' defined
in '/Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/mct.c:49:26' (0x10c293580) of size
24
SUMMARY: AddressSanitizer: global-buffer-overflow /Users/Matt/Dev/OpenJpeg/issue/src/lib/openjp2/t1.c:1146
opj_t1_getwmsedec
Shadow bytes around the buggy address:
  0x100021852660: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 00
  0x100021852670: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 01 f9
  0x100021852680: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 02
  0x100021852690: f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x1000218526a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000218526b0: 00 00 00[f9]f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
  0x1000218526c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000218526d0: 06 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x1000218526e0: 00 00 01 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x1000218526f0: 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x100021852700: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==31115==ABORTING

Reported by mayeut on 2014-11-18 21:28:26

[gcode-importer]

1st patch (probably not compatible with custom MCT, this one allowed to verify ASan
error went away quickly. 2nd is undergoing testing).
Verified against the test suite & OK.

Reported by mayeut on 2014-11-18 22:24:33

---

- _Attachment: [issue436-mct-3.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-436/comment-1/issue436-mct-3.patch)_

[gcode-importer]

@antonin,

2nd patch taking into account custom MCT. According to setup_encoder, if image has
N components, MCT shall use N components. I do not have ISO 15444 part-2 (I guess)
so I can't verify this.

Verified against the test suite & OK.
I do have test data ready to commit also (not committing until security issue is fixed).

Reported by mayeut on 2014-11-18 22:37:36

• Status changed: Verified

---

- _Attachment: [issue436-mct-N.patch](https://storage.googleapis.com/google-code-attachments/openjpeg/issue-436/comment-2/issue436-mct-N.patch)_

[gcode-importer]

15444-2 allows many more things than what is currently implemented in OPJ. But the array-based
custom MCT shall use all the image components. So the patch is indeed ok. Many thanks.

Reported by detonin on 2014-12-09 12:08:35

[gcode-importer]

This issue was closed by revision r2951.

Reported by detonin on 2014-12-09 12:09:22

• Status changed: Fixed