[CVE-2016-10506] division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 523 of pi.c)

[trylab]

---

Testing Environment

Ubuntu + OpenJPEG (GitHub master, 2016/03/28)

---

Exception Information

Program received signal SIGFPE, Arithmetic exception.
0xb7fb8ca1 in opj_pi_next_cprl (pi=0x80850d8) 
    at /home/username/Desktop/openjpeg/src/lib/openjp2/pi.c:523
523  if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || 
        ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){

(gdb) p rpy
$4 = 26
(gdb) p comp->dy
$5 = 128

(gdb) bt
#0  0xb7fb8ca1 in opj_pi_next_cprl (pi=0x80850d8) 
    at /home/username/Desktop/openjpeg/src/lib/openjp2/pi.c:523
#1  0xb7fbc4cc in opj_pi_next (pi=0x80850d8) 
    at /home/username/Desktop/openjpeg/src/lib/openjp2/pi.c:1871
#2  0xb7fc0b8d in opj_t2_decode_packets (p_t2=0x8084a90, p_tile_no=0, 
                                         p_tile=0x80658d0, p_src=0x80668d8 "\337\aV", 
                                         p_data_read=0xbfff9dec, p_max_len=0, 
                                         p_cstr_index=0x8061d68, p_manager=0x80601e4) 
    at /home/username/Desktop/openjpeg/src/lib/openjp2/t2.c:412
#3  0xb7fc6368 in opj_tcd_t2_decode (p_tcd=0x8065890, p_src_data=0x80668d8 "\337\aV", 
                                     p_data_read=0xbfff9dec, p_max_src_size=225, 
                                     p_cstr_index=0x8061d68, p_manager=0x80601e4) 
    at /home/username/Desktop/openjpeg/src/lib/openjp2/tcd.c:1552
#4  0xb7fc5d17 in opj_tcd_decode_tile (p_tcd=0x8065890, p_src=0x80668d8 "\337\aV", 
                                       p_max_length=225, p_tile_no=0, 
                                       p_cstr_index=0x8061d68, p_manager=0x80601e4) 
    at /home/username/Desktop/openjpeg/src/lib/openjp2/tcd.c:1291
#5  0xb7fa832a in opj_j2k_decode_tile (p_j2k=0x8060298, p_tile_index=0, 
                                       p_data=0x80664c8 "", p_data_size=97, 
                                       p_stream=0x8060170, p_manager=0x80601e4)
    at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:8125
#6  0xb7fac369 in opj_j2k_decode_tiles (p_j2k=0x8060298, p_stream=0x8060170, 
                                        p_manager=0x80601e4)
    at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:9745
#7  0xb7fa661e in opj_j2k_exec (p_j2k=0x8060298, p_procedure_list=0x8062420, 
                                p_stream=0x8060170, p_manager=0x80601e4)
    at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:7341
#8  0xb7facaf9 in opj_j2k_decode (p_j2k=0x8060298, p_stream=0x8060170, 
                                  p_image=0x8065cc0, p_manager=0x80601e4)
    at /home/username/Desktop/openjpeg/src/lib/openjp2/j2k.c:9943
#9  0xb7fb1aad in opj_jp2_decode (jp2=0x8060210, p_stream=0x8060170, 
                                  p_image=0x8065cc0, p_manager=0x80601e4)
    at /home/username/Desktop/openjpeg/src/lib/openjp2/jp2.c:1487
#10 0xb7fb6c79 in opj_decode (p_codec=0x80601b8, p_stream=0x8060170, p_image=0x8065cc0) 
    at /home/username/Desktop/openjpeg/src/lib/openjp2/openjpeg.c:412
#11 0x0804c2c0 in main (argc=5, argv=0xbffff124) 
    at /home/username/Desktop/openjpeg/src/bin/jp2/opj_decompress.c:1330

---

Simple Analysis

The value of comp->dy is 128 and the value of rpy is 26.
The value evaluated from (OPJ_INT32)(comp->dy << rpy) is 0 (128<<26 == 0).
The code pi->y%(OPJ_INT32)(comp->dy<<rpy) will cause a divide-by-zero exception (SIGFPE).

---

Proof-of-Concept file

Use poc.j2k.

---

Credit

This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.

[mayeut]

@trylab , this image shows the same exception as #733 , not the one described here. Is this the right POC file ?

[trylab]

@mayeut Sorry for the mistake. Please use poc.j2k here.

[malaterre]

Here is what I see using kakadu:

$ kdu_expand -i poc.j2k -o poc.tif
Error in Kakadu File Format Support:
Malformed image header box (ihdr) found in JP2-family data source.  The box
contains fields which do not conform to their legal range.

[trylab]

I think the problem is not in ihdr box. Let me give you a minimized poc file. You can have a look at it.
issue731.j2k.removeme.txt

kakadu output.

Kakadu Core Error:
Missing or invalid coding parameter attribute.  You are probably receiving this
error when trying to parse or decode a codestream with missing or invalid
marker segments in the main or tile-part headers.

[malaterre]

Why do I see this:

$ kdu_expand -i issue731.j2k -o foo.tif
Kakadu Core Error:
Illegal colour transform specified when image has insufficient or incompatible
colour components.

[trylab]

Maybe the versions of kakadu are different. Can you try this new poc file?
issue731_2.j2k.txt

[rouault]

Fixed per d27ccf0