Integer Overflow at t2.c:1234 #1488
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rouault
pushed a commit
to headshog/openjpeg
that referenced
this pull request
Dec 8, 2023
|
That change cause additional test failures: Would require deeper analysis to see if they are legit |
rouault
added a commit
to rouault/openjpeg
that referenced
this pull request
Feb 18, 2024
|
alternate fix in #1511 |
rouault
added a commit
to rouault/openjpeg
that referenced
this pull request
Feb 18, 2024
clrpackages
pushed a commit
to clearlinux-pkgs/openjpeg
that referenced
this pull request
May 3, 2024
…2.5.2
Aleks L (1):
Fix Heap-buffer-overflow READ in opj_jp2_apply_pclr (#1441)
Alex Richardson (1):
Make OpenJPEGConfig.cmake relocatable with CMake > 3.0
Alexander Neumann (1):
Fix windows arm builds
Andrew Murray (1):
Fixed typos (#1486)
Aous Naman (1):
Replace the assert in mel_init to an if statement to address an issue with fuzzing. (#1436)
Biswapriyo Nath (1):
pkgconfig: Define OPJ_STATIC for static linking with pkgconf
Dominik Wójt (2):
CMake: drop support for cmake < 3.5
Add cmake version file
Even Rouault (29):
abi_check.sh: Update version number for automatic abi check
update tools/abi-tracker/openjpeg.json
abi_check.sh: comment OPJ_PREVIOUS_VERSION
HOWTO-RELEASE: update
Build: fix linking of executables on some systems where TIFF/LCMS2 static libraries are not in system directories (fixes #1430)
opj_t1_encode_cblk(): avoid undefined behaviour on fuzzed input (fixes #1432)
Micro-optimization: use directly opj_bio_putbit() instead of opj_bio_write() to emit single bit
Significant speed-up rate allocation by rate/distoratio ratio
Cleanup code related to quality layer allocation, and add a few safety checks
Fix incorrect decoding of image with large number of progression levels
opj_t2_skip_packet_data(): avoid out-of-bounds reads on truncated images in non-strict mode (fixes #1459)
Fix CI
Remove support for non-C99 compilers (like VS2010) that don't support snprintf()
opj_jp2_read_header(): move setting color_space here instead in opj_jp2_decode()/get_tile() (fixes #570)
opj_jp2_read_header(): move setting icc_profile here instead in opj_jp2_decode()/get_tile() + add unit test (fixes #570)
CI: update KDU to new version (older one no longer available)
tools/travis-ci/install.sh: workaround issue with jpylyzer on Mac
opj_tcd_dc_level_shift_decode(): avoid increment nullptr (fixes #1480)
opj_decompress: fix off-by-one read heap-buffer-overflow in sycc420_to_rgb() when x0 and y0 are odd (CVE-2021-3575, fixes #1347)
opj_dwt_decode_tile(): avoid potential UndefinedBehaviorSanitizer 'applying zero offset to null pointer' (fixes #1505)
opj_t2_read_packet_header(): avoid unsigned integer overflow (alternate fix to uclouvain/openjpeg#1488)
Prepare for OpenJPEG v2.5.1 release
abi_check.sh: Update version number for automatic abi check (2.5.0->2.5.1)
abi_check.sh: comment OPJ_PREVIOUS_VERSION
update HOWTO-RELEASE
update HOWTO-RELEASE
openjpeg.h: make sure to include opj_config.h (fixes #1514)
opj_config.h.cmake.in: add inclusion guard
Prepare for OpenJPEG v2.5.2 release
Mark Mentovai (1):
openjp2/j2k: replace sprintf calls with snprintf
Miloš Komarčević (2):
Always install pkgconfig files
Remove BUILD_PKGCONFIG_FILES
Peter Johnson (1):
ht_dec.c: Improve MSVC arm64 popcount performance (#1479)
Sebastian Rasmussen (1):
CMake: error out on warnings for strict/missing prototypes.
Thomas Bracht Laumann Jespersen (1):
CMake: switch to GNUInstallDirs (#1424)
Tomoaki Teshima (1):
suppress warning during build using clang
Yuan (1):
HT_DEC: Fix opj_t1_allocate_buffers malloc size error (#1426) (fixes #1413)
autoantwort (1):
CMake: add missing GNUInstallDirs related substitutions (fixes #1424) (#1456)
headshog (3):
opj_j2k_merge_ppm(): avoid unsigned-integer-overflow at j2k.c:3962 (#1490)
fix j2k.c:11114
opj_t1_ht_decode_cblk(): avoid memcpy() with 0-input size and nullptr destination. fix ht_dec.c:1215 (#1492)
mayeut (3):
fix: use `opj_uint_ceildiv` instead of `opj_int_ceildiv` when necessary
chore: GHA Ubuntu 22.04 now uses gcc 11.4.0
Require `stdint.h` & `inttypes.h`
scaramallion (1):
Fix compiler error on Windows
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hi! We've been fuzzing openjpeg with sydr-fuzz security predicates and we found integer overflow error in
t2.c:1234.In function opj_t2_read_packet_header at line 1234 integer overflow occurs (in our case it was
l_band->numbps= 5 andi= 15, so 5+1-15 in case of OPJ_UINT32 gives overflow) and nowhere else in this function validity of this variable is checked. So i tried to put a checker there similarly to otherreturn OPJ_FALSEbranches in this function.Environment
How to reproduce this error
Build docker container:
Run docker container:
Run on the following input:
Output: