Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The fuzzer ignores too many inputs #1079

Closed
setharnold opened this issue Feb 14, 2018 · 5 comments
Closed

The fuzzer ignores too many inputs #1079

setharnold opened this issue Feb 14, 2018 · 5 comments

Comments

@setharnold
Copy link
Contributor

// Reject too big images since that will require allocating a lot of

Hello. There are many places in openjpeg where multiplications are performed without checking that the results will not overflow. I've found them in memory allocations and loop bounds, and there's a good chance there's some that aren't very obvious.

Sadly, the fuzzer does have integer overflow bounds checks, as well as draconian input size restrictions, that basically guarantee oss-fuzz cannot spot many of the inputs that may cause openjpeg to behave unsafely.

Please consider removing most of these checks, or all, so that the library will be confronted with inputs that are actually hostile -- larger than 65k pixels in both dimensions, or larger than that in one, etc., so that UBSAN can point out the unsafe multiplications.

Thanks

    // Reject too big images since that will require allocating a lot of
    // memory
    if (width != 0 && psImage->numcomps != 0 &&
            (width > INT_MAX / psImage->numcomps ||
             height > INT_MAX / (width * psImage->numcomps * sizeof(OPJ_UINT32)))) {
        opj_stream_destroy(pStream);
        opj_destroy_codec(pCodec);
        opj_image_destroy(psImage);

        return 0;
    }

    // Also reject too big tiles.
    // TODO: remove this limitation when subtile decoding no longer imply
    // allocation memory for whole tile
    opj_codestream_info_v2_t* pCodeStreamInfo = opj_get_cstr_info(pCodec);
    OPJ_UINT32 nTileW, nTileH;
    nTileW = pCodeStreamInfo->tdx;
    nTileH = pCodeStreamInfo->tdy;
    opj_destroy_cstr_info(&pCodeStreamInfo);
    if (nTileW > 2048 || nTileH > 2048) {
        opj_stream_destroy(pStream);
        opj_destroy_codec(pCodec);
        opj_image_destroy(psImage);

        return 0;
    }

    OPJ_UINT32 width_to_read = width;
    if (width_to_read > 1024) {
        width_to_read = 1024;
    }
    OPJ_UINT32 height_to_read = height;
    if (height_to_read > 1024) {
        height_to_read = 1024;
}
@rouault
Copy link
Collaborator

rouault commented Feb 25, 2018

oss-fuzz doesn't like more than 2GB allocations even when the library properly handle them, so for now those checks must remain. untiil we manage to make sure that all memory allocations in the library are of "reasonable" size, which is a untrivial effort

@setharnold
Copy link
Contributor Author

Hello Even,

This is unfortunate. I can appreciate the desire to keep the tests to
something very small and very quick.

Based on my reading of the oss-fuzz FAQ, I don't think this would actually
create a huge flood of new bugs:

https://github.com/google/oss-fuzz/blob/master/docs/faq.md#how-do-you-handle-timeouts-and-ooms

So, we report only one timeout and only one OOM bug per fuzz target.
Once that bug is fixed, we will file another one, and so on.

Thus I think these checks should be relaxed. If the fuzzer created an
input that is 40,000 x 40,000 pixels, it'll trip the two gigabyte limit
and die. You'll get a useless bug report about it, and ignore it. If
you never fix it, it should be the last you see.

But an input that is 66,000 x 66,000 pixels would succeed in creating
an allocation roughly one megabyte in size, and then trip ASAN checks.

It may not be the most efficient use of Google's infrastructure to run
tests that we know will trip the OOM checks but I believe it's within
the spirit of the offering if it helps to uncover inputs that would
cause real trouble in the wild.

Thanks

@setharnold
Copy link
Contributor Author

Hello Even, all,

I did a quick bit of looking through the past year's worth of oss-fuzz reports for libreoffice. There's roughly 260 "out of memory" reports out of roughly 800 filed issues, and as far as I know there haven't been any nastygrams from Google.

Please consider removing these constraints in the fuzzer so that the similar flaws in the deployed openjpeg library code can be exposed.

Thanks

@setharnold
Copy link
Contributor Author

Hello, while discussing this issue with Michael Catanzaro, he mentioned that I could have been more clear. So please allow me to restate my suggestions:

First, the fuzzer has security checks that the library is missing. Because of these security checks, the fuzzer is prematurely throwing away inputs that would expose probably exploitable memory errors.

Second, because the library is missing these security checks, malicious inputs can almost certainly allow remote code execution.

I strongly recommend moving the integer overflow checks from the fuzzer to the library.

I also recommend removing the image size constraints in the fuzzer. The nice people at oss-fuzz have never once complained to the LibreOffice team due to the handful of "out of memory" reports. I can't speak for the oss-fuzz team but I suspect they would much rather the fuzzer be looking for actual issues than discarding the inputs most likely to expose crashes.

Thanks

@setharnold
Copy link
Contributor Author

setharnold commented Jun 15, 2019 via email

mtremer pushed a commit to ipfire/ipfire-2.x that referenced this issue Apr 29, 2022
- Update from version 2.3.1 to 2.4.0
- Update of rootfile
- Changelog
    2.4.0
	**Closed issues:**
		- OPENJPEG\_INSTALL\_DOC\_DIR does not control a destination directory where HTML docs would be installed. [\#1309](uclouvain/openjpeg#1309)
		- Heap-buffer-overflow in lib/openjp2/pi.c:312 [\#1302](uclouvain/openjpeg#1302)
		- Heap-buffer-overflow in lib/openjp2/t2.c:973 [\#1299](uclouvain/openjpeg#1299)
		- Heap-buffer-overflow in lib/openjp2/pi.c:623 [\#1293](uclouvain/openjpeg#1293)
		- Global-buffer-overflow in lib/openjp2/dwt.c:1980 [\#1286](uclouvain/openjpeg#1286)
		- Heap-buffer-overflow in lib/openjp2/tcd.c:2417 [\#1284](uclouvain/openjpeg#1284)
		- Heap-buffer-overflow in lib/openjp2/mqc.c:499 [\#1283](uclouvain/openjpeg#1283)
		- Openjpeg could not encode 32bit RGB float image [\#1281](uclouvain/openjpeg#1281)
		- Openjpeg could not encode 32bit RGB float image [\#1280](uclouvain/openjpeg#1280)
		- ISO/IEC 15444-1:2019 \(E\) compared with 'cio.h' [\#1277](uclouvain/openjpeg#1277)
		- Test-suite failure due to hash mismatch [\#1264](uclouvain/openjpeg#1264)
		- Heap use-after-free [\#1261](uclouvain/openjpeg#1261)
		- Memory leak when failing to allocate object... [\#1259](uclouvain/openjpeg#1259)
		- Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... [\#1257](uclouvain/openjpeg#1257)
		- Any plan to build release for CVE-2020-8112/CVE-2020-6851 [\#1247](uclouvain/openjpeg#1247)
		- failing to convert 16-bit file: opj\_t2\_encode\_packet\(\): only 5251 bytes remaining in output buffer. 5621 needed. [\#1243](uclouvain/openjpeg#1243)
		- CMake+VS2017 Compile OK, thirdparty Compile OK, but thirdparty not install [\#1239](uclouvain/openjpeg#1239)
		- New release to solve CVE-2019-6988 ? [\#1238](uclouvain/openjpeg#1238)
		- Many tests fail to pass after the update of libtiff to version 4.1.0 [\#1233](uclouvain/openjpeg#1233)
		- Another heap buffer overflow in libopenjp2 [\#1231](uclouvain/openjpeg#1231)
		- Heap buffer overflow in libopenjp2 [\#1228](uclouvain/openjpeg#1228)
		- Endianness of binary volume \(JP3D\) [\#1224](uclouvain/openjpeg#1224)
		- New release to resolve CVE-2019-12973 [\#1222](uclouvain/openjpeg#1222)
		- how to set the block size,like 128,256 ? [\#1216](uclouvain/openjpeg#1216)
		- compress YUV files to motion jpeg2000 standard [\#1213](uclouvain/openjpeg#1213)
		- Repair/update Java wrapper, and include in release [\#1208](uclouvain/openjpeg#1208)
		- abc [\#1206](uclouvain/openjpeg#1206)
		- Slow decoding [\#1202](uclouvain/openjpeg#1202)
		- Installation question [\#1201](uclouvain/openjpeg#1201)
		- Typo in test\_decode\_area - \*ptilew is assigned instead of \*ptileh [\#1195](uclouvain/openjpeg#1195)
		- Creating a J2K file with one POC is broken [\#1191](uclouvain/openjpeg#1191)
		- Make fails on Arch Linux [\#1174](uclouvain/openjpeg#1174)
		- Heap buffer overflow in opj\_t1\_clbl\_decode\_processor\(\) triggered with Ghostscript [\#1158](uclouvain/openjpeg#1158)
		- opj\_stream\_get\_number\_byte\_left: Assertion `p\_stream-\>m\_byte\_offset \>= 0' failed. [\#1151](uclouvain/openjpeg#1151)
		- The fuzzer ignores too many inputs [\#1079](uclouvain/openjpeg#1079)
		- out of bounds read [\#1068](uclouvain/openjpeg#1068)
	**Merged pull requests:**
		- Change defined WIN32 [\#1310](uclouvain/openjpeg#1310) ([Jamaika1](https://github.com/Jamaika1))
		- docs: fix simple typo, producted -\> produced [\#1308](uclouvain/openjpeg#1308) ([timgates42](https://github.com/timgates42))
		- Set ${OPENJPEG\_INSTALL\_DOC\_DIR} to DESTINATION of HTMLs [\#1307](uclouvain/openjpeg#1307) ([lemniscati](https://github.com/lemniscati))
		- Use INC\_DIR for OPENJPEG\_INCLUDE\_DIRS \(fixes uclouvain\#1174\) [\#1306](uclouvain/openjpeg#1306) ([matthew-sharp](https://github.com/matthew-sharp))
		- pi.c: avoid out of bounds access with POC \(fixes \#1302\) [\#1304](uclouvain/openjpeg#1304) ([rouault](https://github.com/rouault))
		- Encoder: grow again buffer size [\#1303](uclouvain/openjpeg#1303) ([zodf0055980](https://github.com/zodf0055980))
		- opj\_j2k\_write\_sod\(\): avoid potential heap buffer overflow \(fixes \#1299\) \(probably master only\) [\#1301](uclouvain/openjpeg#1301) ([rouault](https://github.com/rouault))
		- pi.c: avoid out of bounds access with POC \(refs https://github.com/uclouvain/openjpeg/issues/1293\#issuecomment-737122836\) [\#1300](uclouvain/openjpeg#1300) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1297, but likely not the proper fix [\#1298](uclouvain/openjpeg#1298) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1294, but likely not the proper fix [\#1296](uclouvain/openjpeg#1296) ([rouault](https://github.com/rouault))
		- opj\_j2k\_setup\_encoder\(\): validate POC compno0 and compno1 \(fixes \#1293\) [\#1295](uclouvain/openjpeg#1295) ([rouault](https://github.com/rouault))
		- Encoder: avoid global buffer overflow on irreversible conversion when… [\#1292](uclouvain/openjpeg#1292) ([rouault](https://github.com/rouault))
		- Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC [\#1291](uclouvain/openjpeg#1291) ([rouault](https://github.com/rouault))
		- Free p\_tcd\_marker\_info to avoid memory leak [\#1288](uclouvain/openjpeg#1288) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: grow again buffer size [\#1287](uclouvain/openjpeg#1287) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: avoid uint32 overflow when allocating memory for codestream buffer \(fixes \#1243\) [\#1276](uclouvain/openjpeg#1276) ([rouault](https://github.com/rouault))
		- Java compatibility from 1.5 to 1.6 [\#1263](uclouvain/openjpeg#1263) ([jiapei100](https://github.com/jiapei100))
		- opj\_decompress: fix double-free on input directory with mix of valid and invalid images [\#1262](uclouvain/openjpeg#1262) ([rouault](https://github.com/rouault))
		- openjp2: Plug image leak when failing to allocate codestream index. [\#1260](uclouvain/openjpeg#1260) ([sebras](https://github.com/sebras))
		- openjp2: Plug memory leak when setting data as TLS fails. [\#1258](uclouvain/openjpeg#1258) ([sebras](https://github.com/sebras))
		- openjp2: Error out if failing to create Tier 1 handle. [\#1256](uclouvain/openjpeg#1256) ([sebras](https://github.com/sebras))
		- Testing for invalid values of width, height, numcomps [\#1254](uclouvain/openjpeg#1254) ([szukw000](https://github.com/szukw000))
		- Single-threaded performance improvements in forward DWT for 5-3 and 9-7 \(and other improvements\) [\#1253](uclouvain/openjpeg#1253) ([rouault](https://github.com/rouault))
		- Add support for multithreading in encoder [\#1248](uclouvain/openjpeg#1248) ([rouault](https://github.com/rouault))
		- Add support for generation of PLT markers in encoder [\#1246](uclouvain/openjpeg#1246) ([rouault](https://github.com/rouault))
		- Fix warnings about signed/unsigned casts in pi.c [\#1244](uclouvain/openjpeg#1244) ([rouault](https://github.com/rouault))
		- opj\_decompress: add sanity checks to avoid segfault in case of decoding error [\#1240](uclouvain/openjpeg#1240) ([rouault](https://github.com/rouault))
		- ignore wrong icc [\#1236](uclouvain/openjpeg#1236) ([szukw000](https://github.com/szukw000))
		- Implement writing of IMF profiles [\#1235](uclouvain/openjpeg#1235) ([rouault](https://github.com/rouault))
		- tests: add alternate checksums for libtiff 4.1 [\#1234](uclouvain/openjpeg#1234) ([rouault](https://github.com/rouault))
		- opj\_tcd\_init\_tile\(\): avoid integer overflow [\#1232](uclouvain/openjpeg#1232) ([rouault](https://github.com/rouault))
		- tests/fuzzers: link fuzz binaries using $LIB\_FUZZING\_ENGINE. [\#1230](uclouvain/openjpeg#1230) ([Dor1s](https://github.com/Dor1s))
		- opj\_j2k\_update\_image\_dimensions\(\): reject images whose coordinates are beyond INT\_MAX \(fixes \#1228\) [\#1229](uclouvain/openjpeg#1229) ([rouault](https://github.com/rouault))
		- Fix resource leaks [\#1226](uclouvain/openjpeg#1226) ([dodys](https://github.com/dodys))
		- abi-check.sh: fix false postive ABI error, and display output error log [\#1218](uclouvain/openjpeg#1218) ([rouault](https://github.com/rouault))
		- pi.c: avoid integer overflow, resulting in later invalid access to memory in opj\_t2\_decode\_packets\(\) [\#1217](uclouvain/openjpeg#1217) ([rouault](https://github.com/rouault))
		- Add check to validate SGcod/SPcoc/SPcod parameter values. [\#1211](uclouvain/openjpeg#1211) ([sebras](https://github.com/sebras))
		- Fix buffer overflow reading an image file less than four characters [\#1196](uclouvain/openjpeg#1196) ([robert-ancell](https://github.com/robert-ancell))
		- compression: emit POC marker when only one single POC is requested \(f… [\#1192](uclouvain/openjpeg#1192) ([rouault](https://github.com/rouault))
		- Fix several potential vulnerabilities  [\#1185](uclouvain/openjpeg#1185) ([Young-X](https://github.com/Young-X))
		- openjp2/j2k: Report error if all wanted components are not decoded. [\#1164](uclouvain/openjpeg#1164) ([sebras](https://github.com/sebras))

Signed-off-by: Adolf Belka <[email protected]>
Reviewed-by: Peter Müller <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants