[poppler] [FYI] libopenjpeg crash (Re: A few vulnerabilitiess in libpoppler)

Fri Oct 22 11:39:09 PDT 2010

A Divendres, 22 d'octubre de 2010, mpsuzuki at hiroshima-u.ac.jp va escriure:
> Hi,
> 
> Among 16 pdftoppm crashes that I could reproduce, 10 crashes
> occur in libopenjpeg. The first invocation of libopenjpeg
> function made pdftoppm crashed, so pdftoppm cannot stand
> with such crash by checking errors returned from libopenjpeg.
> 
> SIGSEGV.PC.0x29b.CODE.1.ADDR.0x29b.INSTR.[NOT_MMAPED].pdf
> SIGSEGV.PC.0x7ffff6ac3a04.CODE.1.ADDR.0x100643ad5.INSTR.cmp_word_[rcx],_0x0
> .pdf
> SIGSEGV.PC.0x7ffff7a6872c.CODE.1.ADDR.0x37006cc7f1.INSTR.mov_rax,_[rdi].pd
> f
> SIGSEGV.PC.0x7ffff7a69c00.CODE.1.ADDR.0x13fb684a78.INSTR.mov_rbx,_[rax+0x4
> 8].pdf
> SIGSEGV.PC.0x7ffff7a69cac.CODE.1.ADDR.0x1006ae195.INSTR.mov_eax,_[rbx].pdf
> SIGSEGV.PC.0x7ffff7a69f4c.CODE.1.ADDR.0x1006adff7.INSTR.mov_dword_[rsi+rdx
> *8+0x20],_0x0.pdf
> SIGSEGV.PC.0x7ffff7a6bcdf.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
> SIGSEGV.PC.0x7ffff7a6bfa0.CODE.1.ADDR.0x30.INSTR.mov_rsi,_[rax+0x30].pdf
> SIGSEGV.PC.0x7ffff7ad2f07.CODE.1.ADDR.0x100a1aae5.INSTR.mov_rax,_[rdi].pdf
> SIGSEGV.PC.0x7ffff7ad2f41.CODE.1.ADDR.0x1b000800a1.INSTR.mov_eax,_[rdi+0x2
> 0].pdf
> 
> For detail, please check my valgrind log files on:
>   http://home.hiroshima-u.ac.jp/~mpsuzuki/test-def_mps20101022b.tar.rz
> or
>   http://home.hiroshima-u.ac.jp/~mpsuzuki/test-debug_mps20101023a.tar.rz
> 
> Checking the source of libopenjpeg, I found that some broken
> JPEG2000 files can cause invalid pointer dereference issue.
> Following patch for libopenjpeg-1.3 can fix it. 

Have you checked the svn branch? It fixed most of the problems i had with 
openjpeg, just that when i asked if they were going to release 1.3.1 all i got 
back were tumbleweeds.

> I will
> try to contact libopenjpeg developers.

Good luck with that.

Albert

> 
> Regards,
> mpsuzuki
> 
> diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c
> openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c ---
> openjpeg-1.3+dfsg.orig/libopenjpeg/j2k.c	2008-03-10 17:50:35.000000000
> +0900 +++ openjpeg-1.3+dfsg.mps/libopenjpeg/j2k.c	2010-10-23
> 02:14:03.637256788 +0900 @@ -1807,8 +1807,13 @@
>  	if (cstr_info)
>  		memset(cstr_info, 0, sizeof(opj_codestream_info_t));
> 
> -	/* create an empty image */
> +	/* create an empty image: opj_image_create0() initializes nothing, */
> +	/* clear comps is essential to free this image safely */
>  	image = opj_image_create0();
> +	if (!image)
> +		return NULL;
> +	image->comps = 0;
> +
>  	j2k->image = image;
> 
>  	j2k->state = J2K_STATE_MHSOC;
> @@ -1910,8 +1915,13 @@
> 
>  	j2k->cio = cio;
> 
> -	/* create an empty image */
> +	/* create an empty image: opj_image_create0() initializes nothing, */
> +	/* clear comps is essential to free this image safely */
>  	image = opj_image_create0();
> +	if (!image)
> +		return NULL;
> +	image->comps = 0;
> +
>  	j2k->image = image;
> 
>  	j2k->state = J2K_STATE_MHSOC;
> diff -Burb openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c
> openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c ---
> openjpeg-1.3+dfsg.orig/libopenjpeg/jp2.c	2008-03-10 17:50:35.000000000
> +0900 +++ openjpeg-1.3+dfsg.mps/libopenjpeg/jp2.c	2010-10-23
> 01:49:19.830002886 +0900 @@ -561,6 +561,7 @@
>  	image = j2k_decode(jp2->j2k, cio, cstr_info);
>  	if(!image) {
>  		opj_event_msg(cinfo, EVT_ERROR, "Failed to decode J2K image\n");
> +		return NULL;
>  	}
> 
>  	/* Set Image Color Space */
> _______________________________________________
> poppler mailing list
> poppler at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/poppler