Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add check to validate SGcod/SPcoc/SPcod parameter values. #1211

Merged
merged 2 commits into from
May 20, 2020
Merged

Add check to validate SGcod/SPcoc/SPcod parameter values. #1211

merged 2 commits into from
May 20, 2020

Conversation

sebras
Copy link
Contributor

@sebras sebras commented Sep 4, 2019

This is my attempt to fix issue #1210

Merging this commit may need changes in openjpeg-data as well for the test files since three files now fail consistently, but the baseline directory in openjpeg-data contains fully parsed header information.

If you prefer I could change the code to only warn in these circumstances (and update the test cases accordingly), but it that would a step away from the specification. Let me know what you think.

@sebras
openjp2/j2k: Make comments adhere to specification.
d801bd4 
The function is used to read both SPcod and SPcoc, so all
comments should refer to both marker segments' parameter names.
@sebras
openjp2/j2k: Validate all SGcod/SPcod/SPcoc parameter values.
f3ee448 
Previously the multiple component transformation SGcod(C)
and wavelet transformation SPcod(H)/SPcoc(E) parameter
values were never checked, allowing for out of range values.

The lack of validation allowed the bit stream provided in
issue uclouvain#1158 through. After this commit an error message
points to the marker segments' parameters as being out of
range.

input/nonregression/edf_c2_20.jp2 contains an SPcod(H) value
of 17, but according to Table A-20 of the specification only
values 0 and 1 are valid. input/nonregression/issue826.jp2
contains a SGcod(B) value of 2, but according to Table A-17
of the specification only values 0 and 1 are valid.
input/nonregression/oss-fuzz2785.jp2 contains a SGcod(B)
value of 32, but it is likewise limited to 0 or 1. These test
cases have been updated to consistently fail to parse the
headers since they contain out of bounds values.

This fixes issue uclouvain#1210.
@sebras
Copy link
Contributor Author

sebras commented Sep 4, 2019

sigh I had forgotten about the code formatting check run by CI... The log did mention that it can be run locally which was really helpful! :)

What is problematic is that the ABI check fails, I can't run it locally and it log doesn't explain how I may have changed the ABI. Do you mind helping out with that? Perhaps it was just a momentary anomaly.

@rouault
Copy link
Collaborator

rouault commented Sep 4, 2019

What is problematic is that the ABI check fails

This isn't related to your change, and also fails with master.

@sebras
Copy link
Contributor Author

sebras commented Sep 4, 2019

This isn't related to your change, and also fails with master.

Oh, that's a relief at least. :) Are you otherwise happy with the pull request?

@rouault
Copy link
Collaborator

rouault commented Sep 4, 2019

Are you otherwise happy with the pull request?

My brain has not been involved with JPEG2000 crazyness for a few months now (might be soon perhaps), so I'm not sure I've an informed opinion right now. I'm not sure to understand if those checks are nice to have, or if they fix crashes later in the code
I believe mct > 1 might be valid in an extension profile of JPEG2000
It is a bit unfortunate existing test cases now rejected since they tested other parts of the code. Wondering if they couldn't be manually patched to not be rejected by the new checks ?

@rouault
Copy link
Collaborator

rouault commented Nov 17, 2019

ABI check issue is solved.

@rouault
Copy link
Collaborator

rouault commented May 20, 2020

OK, on review & testing with Kakadu, those additional checks are reasonable. Merging

@rouault rouault merged commit 19ef7f2 into uclouvain:master May 20, 2020
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this pull request Apr 29, 2022
@pmu-ipf
openjpeg: Update to version 2.4.0
ca98d29 
- Update from version 2.3.1 to 2.4.0
- Update of rootfile
- Changelog
    2.4.0
	**Closed issues:**
		- OPENJPEG\_INSTALL\_DOC\_DIR does not control a destination directory where HTML docs would be installed. [\#1309](uclouvain/openjpeg#1309)
		- Heap-buffer-overflow in lib/openjp2/pi.c:312 [\#1302](uclouvain/openjpeg#1302)
		- Heap-buffer-overflow in lib/openjp2/t2.c:973 [\#1299](uclouvain/openjpeg#1299)
		- Heap-buffer-overflow in lib/openjp2/pi.c:623 [\#1293](uclouvain/openjpeg#1293)
		- Global-buffer-overflow in lib/openjp2/dwt.c:1980 [\#1286](uclouvain/openjpeg#1286)
		- Heap-buffer-overflow in lib/openjp2/tcd.c:2417 [\#1284](uclouvain/openjpeg#1284)
		- Heap-buffer-overflow in lib/openjp2/mqc.c:499 [\#1283](uclouvain/openjpeg#1283)
		- Openjpeg could not encode 32bit RGB float image [\#1281](uclouvain/openjpeg#1281)
		- Openjpeg could not encode 32bit RGB float image [\#1280](uclouvain/openjpeg#1280)
		- ISO/IEC 15444-1:2019 \(E\) compared with 'cio.h' [\#1277](uclouvain/openjpeg#1277)
		- Test-suite failure due to hash mismatch [\#1264](uclouvain/openjpeg#1264)
		- Heap use-after-free [\#1261](uclouvain/openjpeg#1261)
		- Memory leak when failing to allocate object... [\#1259](uclouvain/openjpeg#1259)
		- Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... [\#1257](uclouvain/openjpeg#1257)
		- Any plan to build release for CVE-2020-8112/CVE-2020-6851 [\#1247](uclouvain/openjpeg#1247)
		- failing to convert 16-bit file: opj\_t2\_encode\_packet\(\): only 5251 bytes remaining in output buffer. 5621 needed. [\#1243](uclouvain/openjpeg#1243)
		- CMake+VS2017 Compile OK, thirdparty Compile OK, but thirdparty not install [\#1239](uclouvain/openjpeg#1239)
		- New release to solve CVE-2019-6988 ? [\#1238](uclouvain/openjpeg#1238)
		- Many tests fail to pass after the update of libtiff to version 4.1.0 [\#1233](uclouvain/openjpeg#1233)
		- Another heap buffer overflow in libopenjp2 [\#1231](uclouvain/openjpeg#1231)
		- Heap buffer overflow in libopenjp2 [\#1228](uclouvain/openjpeg#1228)
		- Endianness of binary volume \(JP3D\) [\#1224](uclouvain/openjpeg#1224)
		- New release to resolve CVE-2019-12973 [\#1222](uclouvain/openjpeg#1222)
		- how to set the block size,like 128,256 ? [\#1216](uclouvain/openjpeg#1216)
		- compress YUV files to motion jpeg2000 standard [\#1213](uclouvain/openjpeg#1213)
		- Repair/update Java wrapper, and include in release [\#1208](uclouvain/openjpeg#1208)
		- abc [\#1206](uclouvain/openjpeg#1206)
		- Slow decoding [\#1202](uclouvain/openjpeg#1202)
		- Installation question [\#1201](uclouvain/openjpeg#1201)
		- Typo in test\_decode\_area - \*ptilew is assigned instead of \*ptileh [\#1195](uclouvain/openjpeg#1195)
		- Creating a J2K file with one POC is broken [\#1191](uclouvain/openjpeg#1191)
		- Make fails on Arch Linux [\#1174](uclouvain/openjpeg#1174)
		- Heap buffer overflow in opj\_t1\_clbl\_decode\_processor\(\) triggered with Ghostscript [\#1158](uclouvain/openjpeg#1158)
		- opj\_stream\_get\_number\_byte\_left: Assertion `p\_stream-\>m\_byte\_offset \>= 0' failed. [\#1151](uclouvain/openjpeg#1151)
		- The fuzzer ignores too many inputs [\#1079](uclouvain/openjpeg#1079)
		- out of bounds read [\#1068](uclouvain/openjpeg#1068)
	**Merged pull requests:**
		- Change defined WIN32 [\#1310](uclouvain/openjpeg#1310) ([Jamaika1](https://github.com/Jamaika1))
		- docs: fix simple typo, producted -\> produced [\#1308](uclouvain/openjpeg#1308) ([timgates42](https://github.com/timgates42))
		- Set ${OPENJPEG\_INSTALL\_DOC\_DIR} to DESTINATION of HTMLs [\#1307](uclouvain/openjpeg#1307) ([lemniscati](https://github.com/lemniscati))
		- Use INC\_DIR for OPENJPEG\_INCLUDE\_DIRS \(fixes uclouvain\#1174\) [\#1306](uclouvain/openjpeg#1306) ([matthew-sharp](https://github.com/matthew-sharp))
		- pi.c: avoid out of bounds access with POC \(fixes \#1302\) [\#1304](uclouvain/openjpeg#1304) ([rouault](https://github.com/rouault))
		- Encoder: grow again buffer size [\#1303](uclouvain/openjpeg#1303) ([zodf0055980](https://github.com/zodf0055980))
		- opj\_j2k\_write\_sod\(\): avoid potential heap buffer overflow \(fixes \#1299\) \(probably master only\) [\#1301](uclouvain/openjpeg#1301) ([rouault](https://github.com/rouault))
		- pi.c: avoid out of bounds access with POC \(refs https://github.com/uclouvain/openjpeg/issues/1293\#issuecomment-737122836\) [\#1300](uclouvain/openjpeg#1300) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1297, but likely not the proper fix [\#1298](uclouvain/openjpeg#1298) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1294, but likely not the proper fix [\#1296](uclouvain/openjpeg#1296) ([rouault](https://github.com/rouault))
		- opj\_j2k\_setup\_encoder\(\): validate POC compno0 and compno1 \(fixes \#1293\) [\#1295](uclouvain/openjpeg#1295) ([rouault](https://github.com/rouault))
		- Encoder: avoid global buffer overflow on irreversible conversion when… [\#1292](uclouvain/openjpeg#1292) ([rouault](https://github.com/rouault))
		- Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC [\#1291](uclouvain/openjpeg#1291) ([rouault](https://github.com/rouault))
		- Free p\_tcd\_marker\_info to avoid memory leak [\#1288](uclouvain/openjpeg#1288) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: grow again buffer size [\#1287](uclouvain/openjpeg#1287) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: avoid uint32 overflow when allocating memory for codestream buffer \(fixes \#1243\) [\#1276](uclouvain/openjpeg#1276) ([rouault](https://github.com/rouault))
		- Java compatibility from 1.5 to 1.6 [\#1263](uclouvain/openjpeg#1263) ([jiapei100](https://github.com/jiapei100))
		- opj\_decompress: fix double-free on input directory with mix of valid and invalid images [\#1262](uclouvain/openjpeg#1262) ([rouault](https://github.com/rouault))
		- openjp2: Plug image leak when failing to allocate codestream index. [\#1260](uclouvain/openjpeg#1260) ([sebras](https://github.com/sebras))
		- openjp2: Plug memory leak when setting data as TLS fails. [\#1258](uclouvain/openjpeg#1258) ([sebras](https://github.com/sebras))
		- openjp2: Error out if failing to create Tier 1 handle. [\#1256](uclouvain/openjpeg#1256) ([sebras](https://github.com/sebras))
		- Testing for invalid values of width, height, numcomps [\#1254](uclouvain/openjpeg#1254) ([szukw000](https://github.com/szukw000))
		- Single-threaded performance improvements in forward DWT for 5-3 and 9-7 \(and other improvements\) [\#1253](uclouvain/openjpeg#1253) ([rouault](https://github.com/rouault))
		- Add support for multithreading in encoder [\#1248](uclouvain/openjpeg#1248) ([rouault](https://github.com/rouault))
		- Add support for generation of PLT markers in encoder [\#1246](uclouvain/openjpeg#1246) ([rouault](https://github.com/rouault))
		- Fix warnings about signed/unsigned casts in pi.c [\#1244](uclouvain/openjpeg#1244) ([rouault](https://github.com/rouault))
		- opj\_decompress: add sanity checks to avoid segfault in case of decoding error [\#1240](uclouvain/openjpeg#1240) ([rouault](https://github.com/rouault))
		- ignore wrong icc [\#1236](uclouvain/openjpeg#1236) ([szukw000](https://github.com/szukw000))
		- Implement writing of IMF profiles [\#1235](uclouvain/openjpeg#1235) ([rouault](https://github.com/rouault))
		- tests: add alternate checksums for libtiff 4.1 [\#1234](uclouvain/openjpeg#1234) ([rouault](https://github.com/rouault))
		- opj\_tcd\_init\_tile\(\): avoid integer overflow [\#1232](uclouvain/openjpeg#1232) ([rouault](https://github.com/rouault))
		- tests/fuzzers: link fuzz binaries using $LIB\_FUZZING\_ENGINE. [\#1230](uclouvain/openjpeg#1230) ([Dor1s](https://github.com/Dor1s))
		- opj\_j2k\_update\_image\_dimensions\(\): reject images whose coordinates are beyond INT\_MAX \(fixes \#1228\) [\#1229](uclouvain/openjpeg#1229) ([rouault](https://github.com/rouault))
		- Fix resource leaks [\#1226](uclouvain/openjpeg#1226) ([dodys](https://github.com/dodys))
		- abi-check.sh: fix false postive ABI error, and display output error log [\#1218](uclouvain/openjpeg#1218) ([rouault](https://github.com/rouault))
		- pi.c: avoid integer overflow, resulting in later invalid access to memory in opj\_t2\_decode\_packets\(\) [\#1217](uclouvain/openjpeg#1217) ([rouault](https://github.com/rouault))
		- Add check to validate SGcod/SPcoc/SPcod parameter values. [\#1211](uclouvain/openjpeg#1211) ([sebras](https://github.com/sebras))
		- Fix buffer overflow reading an image file less than four characters [\#1196](uclouvain/openjpeg#1196) ([robert-ancell](https://github.com/robert-ancell))
		- compression: emit POC marker when only one single POC is requested \(f… [\#1192](uclouvain/openjpeg#1192) ([rouault](https://github.com/rouault))
		- Fix several potential vulnerabilities  [\#1185](uclouvain/openjpeg#1185) ([Young-X](https://github.com/Young-X))
		- openjp2/j2k: Report error if all wanted components are not decoded. [\#1164](uclouvain/openjpeg#1164) ([sebras](https://github.com/sebras))

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sebras @rouault