Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap buffer overflow in opj_j2k_update_image_data() triggered with Ghostscript #1157

Closed
fumfel opened this issue Oct 19, 2018 · 2 comments
Closed

Comments

@fumfel
Copy link

fumfel commented Oct 19, 2018

Version: 2.3.0 and recent master: cd900d9

Command to reproduce (Ghostscript): gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_hbo_update_image_data -c quit

Crashing test case (please unpack): gs_hbo_update_image_data.zip

ASAN log:

==3306==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f36ee8b4841 at pc 0x7f372b049d1a bp 0x7ffedfacc0c0 sp 0x7ffedfacb868
WRITE of size 14325121024 at 0x7f36ee8b4841 thread T0
    #0 0x7f372b049d19  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
    #1 0x55d0407dff7d in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:9192
    #2 0x55d04081a60f in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:10732
    #3 0x55d0407d1c8f in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:8096
    #4 0x55d040827500 in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:11017
    #5 0x55d040842a44 in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1604
    #6 0x55d040777a45 in decode_image base/sjpx_openjpeg.c:407
    #7 0x55d040777a45 in s_opjd_process base/sjpx_openjpeg.c:734
    #8 0x55d040b61b79 in sreadbuf base/stream.c:823
    #9 0x55d040b72a98 in s_process_read_buf base/stream.c:749
    #10 0x55d0425e167a in image_file_continue psi/zimage.c:533
    #11 0x55d0424031b8 in interp psi/interp.c:1256
    #12 0x55d0424031b8 in gs_call_interp psi/interp.c:516
    #13 0x55d042412c0d in gs_interpret psi/interp.c:473
    #14 0x55d0423afe2f in gs_main_interpret psi/imain.c:235
    #15 0x55d0423afe2f in gs_main_run_string_end psi/imain.c:658
    #16 0x55d0423afe2f in gs_main_run_string_with_length psi/imain.c:610
    #17 0x55d0423afe2f in gs_main_run_string psi/imain.c:591
    #18 0x55d0423bd0e8 in run_string psi/imainarg.c:1034
    #19 0x55d0423bd0e8 in runarg psi/imainarg.c:1024
    #20 0x55d0423c698b in argproc psi/imainarg.c:957
    #21 0x55d0423c698b in gs_main_init_with_args psi/imainarg.c:233
    #22 0x55d03fc2c249 in main psi/gs.c:95
    #23 0x7f37297dfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #24 0x55d03fc41289 in _start (XYZ/gs_asan/bin/gs+0x36a289)

0x7f36ee8b4841 is located 0 bytes to the right of 1440219201-byte region [0x7f3698b34800,0x7f36ee8b4841)
allocated by thread T0 here:
    #0 0x7f372b0c9b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x55d0419499c9 in gs_heap_alloc_bytes base/gsmalloc.c:193

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19) 
Shadow bytes around the buggy address:
  0x0fe75dd0e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe75dd0e8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe75dd0e900: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0fe75dd0e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fe75dd0e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3306==ABORTING
@szukw000
Copy link
Contributor

@fumfel ,
I used gs version 9.25.
winfried
gs.txt.zip

@sebras
Copy link
Contributor

sebras commented Oct 31, 2018

This was a bug in the allocator in Ghostscript, I have recently fixed this as part of bug 700056.

This is not a bug in openjpeg, so this bug can be closed.

@fumfel fumfel closed this as completed Oct 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants