Bitstream parser lacks validation for some segment marker parameter values... #1210
Comments
sebras
added a commit
to sebras/openjpeg
that referenced
this issue
Sep 3, 2019
Previously the multiple component transformation SGcod(C) and wavelet transformation SPcod(H)/SPcoc(E) parameter values were never checked, allowing for out of range values. The lack of validation allowed the bit stream provided in issue uclouvain#1158 through. After this commit an error message points to the marker segments' parameters as being out of range. This fixes issue uclouvain#1210.
sebras
added a commit
to sebras/openjpeg
that referenced
this issue
Sep 3, 2019
Previously the multiple component transformation SGcod(C) and wavelet transformation SPcod(H)/SPcoc(E) parameter values were never checked, allowing for out of range values. The lack of validation allowed the bit stream provided in issue uclouvain#1158 through. After this commit an error message points to the marker segments' parameters as being out of range. This fixes issue uclouvain#1210.
sebras
added a commit
to sebras/openjpeg
that referenced
this issue
Sep 3, 2019
Previously the multiple component transformation SGcod(C) and wavelet transformation SPcod(H)/SPcoc(E) parameter values were never checked, allowing for out of range values. The lack of validation allowed the bit stream provided in issue uclouvain#1158 through. After this commit an error message points to the marker segments' parameters as being out of range. This fixes issue uclouvain#1210.
sebras
added a commit
to sebras/openjpeg
that referenced
this issue
Sep 4, 2019
Previously the multiple component transformation SGcod(C) and wavelet transformation SPcod(H)/SPcoc(E) parameter values were never checked, allowing for out of range values. The lack of validation allowed the bit stream provided in issue uclouvain#1158 through. After this commit an error message points to the marker segments' parameters as being out of range. This fixes issue uclouvain#1210.
sebras
added a commit
to sebras/openjpeg
that referenced
this issue
Sep 4, 2019
Previously the multiple component transformation SGcod(C) and wavelet transformation SPcod(H)/SPcoc(E) parameter values were never checked, allowing for out of range values. The lack of validation allowed the bit stream provided in issue uclouvain#1158 through. After this commit an error message points to the marker segments' parameters as being out of range. input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value of 17, but according to Table A-20 of the specification only values 0 and 1 are valid. input/nonregression/issue826.jp2 contains a SGcod(B) value of 2, but according to Table A-17 of the specification only values 0 and 1 are valid. input/nonregression/oss-fuzz2785.jp2` contains a SGcod(B) value of 32, but it is likewise limited to 0 or 1. These test cases have been updated to consistently fail to parse the headers since they contain out of bounds values. This fixes issue uclouvain#1210.
sebras
added a commit
to sebras/openjpeg
that referenced
this issue
Sep 4, 2019
Previously the multiple component transformation SGcod(C) and wavelet transformation SPcod(H)/SPcoc(E) parameter values were never checked, allowing for out of range values. The lack of validation allowed the bit stream provided in issue uclouvain#1158 through. After this commit an error message points to the marker segments' parameters as being out of range. input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value of 17, but according to Table A-20 of the specification only values 0 and 1 are valid. input/nonregression/issue826.jp2 contains a SGcod(B) value of 2, but according to Table A-17 of the specification only values 0 and 1 are valid. input/nonregression/oss-fuzz2785.jp2 contains a SGcod(B) value of 32, but it is likewise limited to 0 or 1. These test cases have been updated to consistently fail to parse the headers since they contain out of bounds values. This fixes issue uclouvain#1210.
DanielHeath
pushed a commit
to radiopaedia/openjpeg
that referenced
this issue
Sep 21, 2021
Previously the multiple component transformation SGcod(C) and wavelet transformation SPcod(H)/SPcoc(E) parameter values were never checked, allowing for out of range values. The lack of validation allowed the bit stream provided in issue uclouvain#1158 through. After this commit an error message points to the marker segments' parameters as being out of range. input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value of 17, but according to Table A-20 of the specification only values 0 and 1 are valid. input/nonregression/issue826.jp2 contains a SGcod(B) value of 2, but according to Table A-17 of the specification only values 0 and 1 are valid. input/nonregression/oss-fuzz2785.jp2 contains a SGcod(B) value of 32, but it is likewise limited to 0 or 1. These test cases have been updated to consistently fail to parse the headers since they contain out of bounds values. This fixes issue uclouvain#1210.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When manually analyzing the bit stream from issue #1158 it was evident that the underlying issue is that
SGcod(C),SPcod(H)andSPcoc(E)were out of range.This is was never detected by OpenJPEG because
opj_j2k_read_cod()andopj_j2k_read_SPCod_SPCoc()never validate these values after reading them. Other parameter values from the same segment markers are validated however.I will attempt to provide a sane pull request for addressing this.
The text was updated successfully, but these errors were encountered: