Bug#787275: libopenjpeg5: multiple SIGSEGV/SIGABRT crashes with fuzzed samples

Andreas Cadhalpun Sat, 30 May 2015 12:28:25 -0700

Package: libopenjpeg5
Version: 1:1.5.2-3
Severity: important
Tags: security


Dear Maintainer,

I have several samples causing j2k_dump to crash in different ways.
I can provide these privately, but I'm not attaching them here,
because I don't think that making them public before the issues are
fixed would be a good idea.

Backtraces:
$ for f in *; do echo -e "\n\n\n *** $f *** \n\n\n"; gdb --batch -ex r -ex bt 
-ex q --args j2k_dump -i "$f"; done



 *** id_07cc0ea0b24a217441df652958ff4d93b50ae8f1.j2k *** 




[INFO] tile 1 of 5377

Program received signal SIGSEGV, Segmentation fault.
tgt_reset (tree=0x4300000000000000) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c:122
122     /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c: No such file or directory.
#0  tgt_reset (tree=0x4300000000000000) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c:122
#1  0x00007ffff7bcdf43 in t2_decode_packet (t2=0x16dc8a0, t2=0x16dc8a0, 
tile=0x7ffff53e8010, pi=0x16dc8c0, pi=0x16dc8c0, pi=0x16dc8c0, pi=0x16dc8c0, 
pack_info=0x0, tcp=0x7ffff584c010, len=653, src=0x16cd661 "4\375\201") at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/t2.c:360
#2  t2_decode_packets (t2=t2@entry=0x16dc8a0, src=src@entry=0x16cd600 
"\300\374\300\200\001\307\300\374\300\200\a8\300~", len=len@entry=750, 
tileno=tileno@entry=0, tile=tile@entry=0x7ffff53e8010, 
cstr_info=cstr_info@entry=0x0) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/t2.c:741
#3  0x00007ffff7bd29ba in tcd_decode_tile (tcd=tcd@entry=0x60e1f0, 
src=0x16cd600 "\300\374\300\200\001\307\300\374\300\200\a8\300~", len=750, 
tileno=tileno@entry=0, cstr_info=0x0) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:1385
#4  0x00007ffff7bc12df in j2k_read_eoc (j2k=0x60e050) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:1695
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, 
cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at 
/tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

        Inferior 1 [process 29104] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_36489c74785cf854b2fbadb38379f05fdf58b3cd.j2k *** 





Program received signal SIGSEGV, Segmentation fault.
tcd_malloc_decode_tile (tcd=tcd@entry=0x60e1f0, image=0x60e1b0, cp=0x60e0d0, 
tileno=<optimized out>, tileno@entry=0, cstr_info=<optimized out>) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:839
839     /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c: No such file or directory.
#0  tcd_malloc_decode_tile (tcd=tcd@entry=0x60e1f0, image=0x60e1b0, 
cp=0x60e0d0, tileno=<optimized out>, tileno@entry=0, cstr_info=<optimized out>) 
at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:839
#1  0x00007ffff7bc132c in j2k_read_eoc (j2k=0x60e050) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:1691
#2  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, 
cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#3  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at 
/tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

        Inferior 1 [process 29197] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_c0ab4aa72114becf0cfe65d875541b71f33d5f71.j2k *** 




j2k_dump: /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:435: j2k_read_siz: 
Assertion `n_comps == image->numcomps' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff75444e8 in __GI_abort () at abort.c:89
#2  0x00007ffff753c226 in __assert_fail_base (fmt=0x7ffff7672ce8 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7ffff7bd5cf7 
"n_comps == image->numcomps", file=file@entry=0x7ffff7bd6058 
"/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=line@entry=435, 
function=function@entry=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> 
"j2k_read_siz") at assert.c:92
#3  0x00007ffff753c2d2 in __GI___assert_fail (assertion=0x7ffff7bd5cf7 "n_comps 
== image->numcomps", file=0x7ffff7bd6058 
"/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=435, 
function=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at 
assert.c:101
#4  0x00007ffff7bc1263 in j2k_read_siz (j2k=0x60e050) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:435
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, 
cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at 
/tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

        Inferior 1 [process 29263] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_f2a09bfee2caa7d4b0728e845056407ce15a1076.j2k *** 




j2k_dump: /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:433: j2k_read_siz: 
Assertion `(len - 36 - 2 ) % 3 == 0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff7543107 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff75444e8 in __GI_abort () at abort.c:89
#2  0x00007ffff753c226 in __assert_fail_base (fmt=0x7ffff7672ce8 "%s%s%s:%u: 
%s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7ffff7bd5cde "(len 
- 36 - 2 ) % 3 == 0", file=file@entry=0x7ffff7bd6058 
"/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=line@entry=433, 
function=function@entry=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> 
"j2k_read_siz") at assert.c:92
#3  0x00007ffff753c2d2 in __GI___assert_fail (assertion=0x7ffff7bd5cde "(len - 
36 - 2 ) % 3 == 0", file=0x7ffff7bd6058 
"/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=433, 
function=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at 
assert.c:101
#4  0x00007ffff7bc1244 in j2k_read_siz (j2k=0x60e050) at 
/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:433
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, 
cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at 
/tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

        Inferior 1 [process 29343] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]


Best regards,
Andreas


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#787275: libopenjpeg5: multiple SIGSEGV/SIGABRT crashes with fuzzed samples

Reply via email to