[poppler] [FYI] libopenjpeg crash (Re: A few vulnerabilitiess in libpoppler)
mpsuzuki at hiroshima-u.ac.jp
mpsuzuki at hiroshima-u.ac.jp
Fri Oct 22 10:31:30 PDT 2010
Hi,
Among 16 pdftoppm crashes that I could reproduce, 10 crashes
occur in libopenjpeg. The first invocation of libopenjpeg
function made pdftoppm crashed, so pdftoppm cannot stand
with such crash by checking errors returned from libopenjpeg.
SIGSEGV.PC.0x29b.CODE.1.ADDR.0x29b.INSTR.[NOT_MMAPED].pdf
SIGSEGV.PC.0x7ffff6ac3a04.CODE.1.ADDR.0x100643ad5.INSTR.cmp_word_[rcx],_0x0.pdf
SIGSEGV.PC.0x7ffff7a6872c.CODE.1.ADDR.0x37006cc7f1.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7a69c00.CODE.1.ADDR.0x13fb684a78.INSTR.mov_rbx,_[rax+0x48].pdf
SIGSEGV.PC.0x7ffff7a69cac.CODE.1.ADDR.0x1006ae195.INSTR.mov_eax,_[rbx].pdf
SIGSEGV.PC.0x7ffff7a69f4c.CODE.1.ADDR.0x1006adff7.INSTR.mov_dword_[rsi+rdx*8+0x20],_0x0.pdf
SIGSEGV.PC.0x7ffff7a6bcdf.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
SIGSEGV.PC.0x7ffff7ad2f07.CODE.1.ADDR.0x100a1aae5.INSTR.mov_rax,_[rdi].pdf
SIGSEGV.PC.0x7ffff7ad2f41.CODE.1.ADDR.0x1b000800a1.INSTR.mov_eax,_[rdi+0x20].pdf
For detail, please check my valgrind log files on:
http://home.hiroshima-u.ac.jp/~mpsuzuki/test-def_mps20101022b.tar.rz
or
http://home.hiroshima-u.ac.jp/~mpsuzuki/test-debug_mps20101023a.tar.rz
Checking the source of libopenjpeg, I found that some broken
JPEG2000 files can cause invalid pointer dereference issue.
Following patch for libopenjpeg-1.3 can fix it. I will
try to contact libopenjpeg developers.
Regards,
mpsuzuki
diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c
--- openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c 2008-03-10 17:50:35.000000000 +0900
+++ openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c 2010-10-23 02:14:03.637256788 +0900
@@ -1807,8 +1807,13 @@
if (cstr_info)
memset(cstr_info, 0, sizeof(opj_codestream_info_t));
- /* create an empty image */
+ /* create an empty image: opj_image_create0() initializes nothing, */
+ /* clear comps is essential to free this image safely */
image = opj_image_create0();
+ if (!image)
+ return NULL;
+ image->comps = 0;
+
j2k->image = image;
j2k->state = J2K_STATE_MHSOC;
@@ -1910,8 +1915,13 @@
j2k->cio = cio;
- /* create an empty image */
+ /* create an empty image: opj_image_create0() initializes nothing, */
+ /* clear comps is essential to free this image safely */
image = opj_image_create0();
+ if (!image)
+ return NULL;
+ image->comps = 0;
+
j2k->image = image;
j2k->state = J2K_STATE_MHSOC;
diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c
--- openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c 2008-03-10 17:50:35.000000000 +0900
+++ openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c 2010-10-23 01:49:19.830002886 +0900
@@ -561,6 +561,7 @@
image = j2k_decode(jp2->j2k, cio, cstr_info);
if(!image) {
opj_event_msg(cinfo, EVT_ERROR, "Failed to decode J2K image\n");
+ return NULL;
}
/* Set Image Color Space */
More information about the poppler
mailing list