Heap buffer overflow in opj_j2k_update_image_data() triggered with Ghostscript #1157
Closed
Description
Version: 2.3.0 and recent master: cd900d9
Command to reproduce (Ghostscript): gs -dNOPAUSE -sDEVICE=bit -sOUTPUTFILE=/dev/null -dSAFER gs_hbo_update_image_data -c quit
Crashing test case (please unpack): gs_hbo_update_image_data.zip
ASAN log:
==3306==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f36ee8b4841 at pc 0x7f372b049d1a bp 0x7ffedfacc0c0 sp 0x7ffedfacb868
WRITE of size 14325121024 at 0x7f36ee8b4841 thread T0
#0 0x7f372b049d19 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
#1 0x55d0407dff7d in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:9192
#2 0x55d04081a60f in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:10732
#3 0x55d0407d1c8f in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:8096
#4 0x55d040827500 in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:11017
#5 0x55d040842a44 in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1604
#6 0x55d040777a45 in decode_image base/sjpx_openjpeg.c:407
#7 0x55d040777a45 in s_opjd_process base/sjpx_openjpeg.c:734
#8 0x55d040b61b79 in sreadbuf base/stream.c:823
#9 0x55d040b72a98 in s_process_read_buf base/stream.c:749
#10 0x55d0425e167a in image_file_continue psi/zimage.c:533
#11 0x55d0424031b8 in interp psi/interp.c:1256
#12 0x55d0424031b8 in gs_call_interp psi/interp.c:516
#13 0x55d042412c0d in gs_interpret psi/interp.c:473
#14 0x55d0423afe2f in gs_main_interpret psi/imain.c:235
#15 0x55d0423afe2f in gs_main_run_string_end psi/imain.c:658
#16 0x55d0423afe2f in gs_main_run_string_with_length psi/imain.c:610
#17 0x55d0423afe2f in gs_main_run_string psi/imain.c:591
#18 0x55d0423bd0e8 in run_string psi/imainarg.c:1034
#19 0x55d0423bd0e8 in runarg psi/imainarg.c:1024
#20 0x55d0423c698b in argproc psi/imainarg.c:957
#21 0x55d0423c698b in gs_main_init_with_args psi/imainarg.c:233
#22 0x55d03fc2c249 in main psi/gs.c:95
#23 0x7f37297dfb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#24 0x55d03fc41289 in _start (XYZ/gs_asan/bin/gs+0x36a289)
0x7f36ee8b4841 is located 0 bytes to the right of 1440219201-byte region [0x7f3698b34800,0x7f36ee8b4841)
allocated by thread T0 here:
#0 0x7f372b0c9b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x55d0419499c9 in gs_heap_alloc_bytes base/gsmalloc.c:193
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5ed19)
Shadow bytes around the buggy address:
0x0fe75dd0e8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe75dd0e8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe75dd0e8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe75dd0e8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe75dd0e8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe75dd0e900: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
0x0fe75dd0e910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe75dd0e920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe75dd0e930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe75dd0e940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe75dd0e950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3306==ABORTING
Metadata
Assignees
Labels
No labels