[poppler] [FYI] libopenjpeg crash (Re: A few vulnerabilitiess in libpoppler)

mpsuzuki at hiroshima-u.ac.jp mpsuzuki at hiroshima-u.ac.jp
Fri Oct 22 10:31:30 PDT 2010


Hi,

Among 16 pdftoppm crashes that I could reproduce, 10 crashes
occur in libopenjpeg. The first invocation of libopenjpeg
function made pdftoppm crashed, so pdftoppm cannot stand
with such crash by checking errors returned from libopenjpeg.

SIGSEGV.PC.0x29b.CODE.1.ADDR.0x29b.INSTR.[NOT_MMAPED].pdf
SIGSEGV.PC.0x7ffff6ac3a04.CODE.1.ADDR.0x100643ad5.INSTR.cmp_word_[rcx],_0x0.pdf
SIGSEGV.PC.0x7ffff7a6872c.CODE.1.ADDR.0x37006cc7f1.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7a69c00.CODE.1.ADDR.0x13fb684a78.INSTR.mov_rbx,_[rax+0x48].pdf
SIGSEGV.PC.0x7ffff7a69cac.CODE.1.ADDR.0x1006ae195.INSTR.mov_eax,_[rbx].pdf
SIGSEGV.PC.0x7ffff7a69f4c.CODE.1.ADDR.0x1006adff7.INSTR.mov_dword_[rsi+rdx*8+0x20],_0x0.pdf
SIGSEGV.PC.0x7ffff7a6bcdf.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7ad2f07.CODE.1.ADDR.0x100a1aae5.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7ad2f41.CODE.1.ADDR.0x1b000800a1.INSTR.mov_eax,_[rdi+0x20].pdf

For detail, please check my valgrind log files on:
  http://home.hiroshima-u.ac.jp/~mpsuzuki/test-def_mps20101022b.tar.rz
or
  http://home.hiroshima-u.ac.jp/~mpsuzuki/test-debug_mps20101023a.tar.rz

Checking the source of libopenjpeg, I found that some broken
JPEG2000 files can cause invalid pointer dereference issue.
Following patch for libopenjpeg-1.3 can fix it. I will
try to contact libopenjpeg developers.

Regards,
mpsuzuki

diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c
--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c	2008-03-10 17:50:35.000000000 +0900
+++ openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c	2010-10-23 02:14:03.637256788 +0900
@@ -1807,8 +1807,13 @@
 	if (cstr_info)
 		memset(cstr_info, 0, sizeof(opj_codestream_info_t));
 
-	/* create an empty image */
+	/* create an empty image: opj_image_create0() initializes nothing, */
+	/* clear comps is essential to free this image safely */
 	image = opj_image_create0();
+	if (!image)
+		return NULL;
+	image->comps = 0;
+
 	j2k->image = image;
 
 	j2k->state = J2K_STATE_MHSOC;
@@ -1910,8 +1915,13 @@
 	
 	j2k->cio = cio;
 
-	/* create an empty image */
+	/* create an empty image: opj_image_create0() initializes nothing, */
+	/* clear comps is essential to free this image safely */
 	image = opj_image_create0();
+	if (!image)
+		return NULL;
+	image->comps = 0;
+
 	j2k->image = image;
 
 	j2k->state = J2K_STATE_MHSOC;
diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c
--- openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c	2008-03-10 17:50:35.000000000 +0900
+++ openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c	2010-10-23 01:49:19.830002886 +0900
@@ -561,6 +561,7 @@
 	image = j2k_decode(jp2->j2k, cio, cstr_info);
 	if(!image) {
 		opj_event_msg(cinfo, EVT_ERROR, "Failed to decode J2K image\n");
+		return NULL;
 	}
 
 	/* Set Image Color Space */


More information about the poppler mailing list