[poppler] [FYI] libopenjpeg crash (Re: A few vulnerabilitiess in libpoppler)

mpsuzuki at hiroshima-u.ac.jp mpsuzuki at hiroshima-u.ac.jp
Fri Oct 22 22:28:45 PDT 2010 

Dear Albert,

On Fri, 22 Oct 2010 19:39:09 +0100
Albert Astals Cid <aacid at kde.org> wrote:

>A Divendres, 22 d'octubre de 2010, mpsuzuki at hiroshima-u.ac.jp va escriure:
>> Checking the source of libopenjpeg, I found that some broken
>> JPEG2000 files can cause invalid pointer dereference issue.
>> Following patch for libopenjpeg-1.3 can fix it. 
>
>Have you checked the svn branch?

# No, Oops, I ought to have to do check (as I asked Robert
# for such), I have not. I'm sorry.

Checking the latest libopenjpeg on SVN, only 1 PDF in
Robert's 2010-10-20 testing files caused SIGSEGV in
libopenjpeg:

  SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf

Error: [JPT-stream] : Expecting Main header first [class_Id 0] !

Error: Did no succeed opening JPX Stream.
Error (151479): Unknown operator 'DoQ'
[New Thread 0xb742b6d0 (LWP 5913)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb742b6d0 (LWP 5913)]
0x0813b205 in j2k_read_sot (j2k=0x81f4978) at j2k.c:1386
1386            if (tcp->first == 1) {
Current language:  auto; currently c
(gdb) where
#0  0x0813b205 in j2k_read_sot (j2k=0x81f4978) at j2k.c:1386
#1  0x0813c122 in j2k_decode (j2k=0x81f4978, cio=0x825d3a0, cstr_info=0x0) at j2k.c:1889
#2  0x0813f386 in jp2_decode (jp2=0x8238f70, cio=0x825d3a0, cstr_info=0x0) at jp2.c:882
#3  0x08137ae6 in opj_decode_with_info (dinfo=0x822d4a0, cio=0x825d3a0, cstr_info=0x0) at openjpeg.c:163
#4  0x08137a66 in opj_decode (dinfo=0x822d4a0, cio=0x825d3a0) at openjpeg.c:152
#5  0x080ec1bb in JPXStream::init2 (this=0x825d308, buf=0x823cde0 "", bufLen=2838, format=CODEC_JP2) at JPEG2000Stream.cc:117
#6  0x080ec081 in JPXStream::init (this=0x825d308) at JPEG2000Stream.cc:73
#7  0x080ec2e1 in JPXStream::getImageParams (this=0x825d308, bitsPerComponent=0xbfe28a7c, csMode=0xbfe28a78) at JPEG2000Stream.cc:150
#8  0x0811dae7 in Gfx::doImage (this=0x81d27a0, ref=0xbfe28b04, str=0x825d308, inlineImg=false) at Gfx.cc:3984
#9  0x0811d83c in Gfx::opXObject (this=0x81d27a0, args=0xbfe28bcc, numArgs=1) at Gfx.cc:3931
#10 0x0811098e in Gfx::execOp (this=0x81d27a0, cmd=0xbfe28d6c, args=0xbfe28bcc, numArgs=1) at Gfx.cc:851
#11 0x08110360 in Gfx::go (this=0x81d27a0, topLevel=true) at Gfx.cc:711
#12 0x081101bc in Gfx::display (this=0x81d27a0, obj=0xbfe28e74, topLevel=true) at Gfx.cc:678
#13 0x080a0f5d in Page::displaySlice (this=0x81d86b8, out=0x81e10f0, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, sliceX=0, sliceY=0, sliceW=1275, sliceH=1650, printing=false,
    catalog=0x81c8560, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at Page.cc:482
#14 0x080a2e5a in PDFDoc::displayPageSlice (this=0x81c7bb8, out=0x81e10f0, page=12, hDPI=150, vDPI=150, rotate=0, useMediaBox=true, crop=false, printing=false, sliceX=0, sliceY=0, sliceW=1275,
    sliceH=1650, abortCheckCbk=0, abortCheckCbkData=0x0, annotDisplayDecideCbk=0, annotDisplayDecideCbkData=0x0) at PDFDoc.cc:424
#15 0x0804ba01 in savePageSlice (doc=0x81c7bb8, splashOut=0x81e10f0, pg=12, x=0, y=0, w=1275, h=1650, pg_w=1275, pg_h=1650, ppmFile=0xbfe29018 "/dev/null-12.ppm") at pdftoppm.cc:173
#16 0x0804c699 in main (argc=3, argv=0xbfe29324) at pdftoppm.cc:354
(gdb) p tcp
$1 = (opj_tcp_t *) 0x1a0ac5e0
(gdb) p tcp->first
Cannot access memory at address 0x1a0ac5e0


If I disable libopenjpeg and use builtin JPEG2000 decoder,
no SEGV occurs. I will try to fix it, but other issues in
poppler itself must be prioritized.

>It fixed most of the problems i had with openjpeg,
>just that when i asked if they were going to release
>1.3.1 all i got back were tumbleweeds.

On 2010-Oct-7th, there was a post "OpenJPEG 1.4.0 should
come soon". I wish it comes true, because many GNU/Linux
distributors don't want to make a binary package built
from the source under development. If it will be lated,
the binary packagers of popplers should use builtin
JPEG2000 decoder as a temporal fix, until official release
of libopenjpeg-1.4.

Regards,
mpsuzuki

More information about the poppler mailing list