Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integer overflows in j2K #1399

Closed
Eharve14 opened this issue Jan 18, 2022 · 4 comments
Closed

Integer overflows in j2K #1399

Eharve14 opened this issue Jan 18, 2022 · 4 comments

Comments

@Eharve14
Copy link
Contributor

in the j2k.c file there is no check on max value of cp->tw or cp-th when the values are set.
cp->tw = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(image->x1 - cp->tx0), (OPJ_INT32)cp->tdx); cp->th = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(image->y1 - cp->ty0), (OPJ_INT32)cp->tdy);

These values are later multiplied and the result is used in an ops_calloc function that does not have a cast before the call. The product of these values are also used to iterate a loop with a loop iterator that is also a 32 bit integer, tileno, which is used to write to the allocated memory.

cp->tcps = (opj_tcp_t*) opj_calloc(cp->tw * cp->th, sizeof(opj_tcp_t)); if (!cp->tcps) { opj_event_msg(p_manager, EVT_ERROR, "Not enough memory to allocate tile coding parameters\n"); return OPJ_FALSE; }

for (tileno = 0; tileno < cp->tw * cp->th; tileno++) {
    opj_tcp_t *tcp = &cp->tcps[tileno];`

I was going to cast the calloc call, but it will create an issue in the tileno loop. I would like to add a check for the result of the multiplication or some cap on the maximum value of tw and th like in the struct l_cp as shown below:
/* Compute the number of tiles */ l_cp->tw = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(l_image->x1 - l_cp->tx0), (OPJ_INT32)l_cp->tdx); l_cp->th = (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)(l_image->y1 - l_cp->ty0), (OPJ_INT32)l_cp->tdy);

/* Check that the number of tiles is valid */
if (l_cp->tw == 0 || l_cp->th == 0 || l_cp->tw > 65535 / l_cp->th) {
    opj_event_msg(p_manager, EVT_ERROR,
                  "Invalid number of tiles : %u x %u (maximum fixed by jpeg2000 norm is 65535 tiles)\n",
                  l_cp->tw, l_cp->th);
    return OPJ_FALSE;
}`
@rouault
Copy link
Collaborator

rouault commented Jan 18, 2022

I don't understand why there would be an overflow on multiplication given that the l_cp->tw > 65535 / l_cp->th test done at line 2342 checks that the number of tiles is not greater than 65535, hence uint32 overflow can't occur.

@Eharve14
Copy link
Contributor Author

That is true on for the l_cp struct. Th similarly named cp struct is set with out the check. If you look at lines 7952 and 7954 the value for cp->tw and cp -> th are set with out a similar check. Subsequently on line 8024 the values are multiplied to allocate memory and iterate a loop.

rouault added a commit to rouault/openjpeg that referenced this issue Jan 18, 2022
@rouault
opj_j2k_setup_encoder(): validate number of tiles to avoid illegal va…
70f5e0a 
…lues and potential overflow (fixes uclouvain#1399)
@rouault
Copy link
Collaborator

rouault commented Jan 18, 2022

If you look at lines 7952 and 7954 the value for cp->tw and cp -> th are set with out a similar check. Subsequently on line 8024 the values are multiplied to allocate memory and iterate a loop.

got it. fixed in #1401

@Eharve14
Copy link
Contributor Author

Awesome, closed with #1401

rouault added a commit that referenced this issue Jan 18, 2022
@rouault
Merge pull request #1401 from rouault/fix_1399
d87fd92 
opj_j2k_setup_encoder(): validate number of tiles to avoid illegal values and potential overflow (fixes #1399)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rouault @Eharve14