Heap-buffer-overflow in lib/openjp2/mqc.c:499

I found a heap buffer overflow in the current master ([491299e](https://github.com/uclouvain/openjpeg/commit/491299eb073c80602ca8ee333303a31a581d3fa8)). 
I build openjpeg with ASAN, this is ASAN report.
POC picture :  ![sample](https://user-images.githubusercontent.com/25863161/99949026-5860c700-2db5-11eb-9219-2a9f500226ee.png)

```
~/openjpeg/build/bin/opj_compress -i ./sample.png -o ./out.j2k -M 3

[INFO] tile number 1 / 1
=================================================================
==29113==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000097 at pc 0x7f42917e7394 bp 0x7ffd162eff00 sp 0x7ffd162efef0
WRITE of size 1 at 0x602000000097 thread T0
    #0 0x7f42917e7393 in opj_mqc_byteout /home/yuan/afl-target/openjpeg/src/lib/openjp2/mqc.c:505
    #1 0x7f42917e7587 in opj_mqc_flush /home/yuan/afl-target/openjpeg/src/lib/openjp2/mqc.c:218
    #2 0x7f429185ad50 in opj_t1_encode_cblk /home/yuan/afl-target/openjpeg/src/lib/openjp2/t1.c:2478
    #3 0x7f429185ad50 in opj_t1_clbl_encode_processor /home/yuan/afl-target/openjpeg/src/lib/openjp2/t1.c:2241
    #4 0x7f4291702fcc in opj_thread_pool_submit_job /home/yuan/afl-target/openjpeg/src/lib/openjp2/thread.c:835
    #5 0x7f42918814a0 in opj_t1_encode_cblks /home/yuan/afl-target/openjpeg/src/lib/openjp2/t1.c:2319
    #6 0x7f42918af7c0 in opj_tcd_t1_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:2535
    #7 0x7f42918af7c0 in opj_tcd_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1439
    #8 0x7f429178af9b in opj_j2k_write_sod /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:4813
    #9 0x7f429178af9b in opj_j2k_write_first_tile_part /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12626
    #10 0x7f429178af9b in opj_j2k_post_write_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12382
    #11 0x7f42917c273b in opj_j2k_encode /home/yuan/afl-target/openjpeg/src/lib/openjp2/j2k.c:12131
    #12 0x5599a3d9d984 in main /home/yuan/afl-target/openjpeg/src/bin/jp2/opj_compress.c:2206
    #13 0x7f42908d8bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #14 0x5599a3da2fd9 in _start (/home/yuan/afl-target/openjpeg/build/bin/opj_compress+0x1afd9)

0x602000000097 is located 0 bytes to the right of 7-byte region [0x602000000090,0x602000000097)
allocated by thread T0 here:
    #0 0x7f4291bc1b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
    #1 0x7f42918b4ba4 in opj_tcd_code_block_enc_allocate_data /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1256
    #2 0x7f42918b4ba4 in opj_tcd_init_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1170
    #3 0x7f42918b4ba4 in opj_tcd_init_encode_tile /home/yuan/afl-target/openjpeg/src/lib/openjp2/tcd.c:1201

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/yuan/afl-target/openjpeg/src/lib/openjp2/mqc.c:505 in opj_mqc_byteout
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
=>0x0c047fff8010: fa fa[07]fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff8020: fa fa 07 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff8030: fa fa 07 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff8040: fa fa 07 fa fa fa 07 fa fa fa 07 fa fa fa 07 fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29113==ABORTING
```

I also try to prove it without ASAN.
```
It malloc 7 bytes (0x602000000090) in opj_tcd_code_block_enc_allocate_data.
 
In opj_mqc_byteout function:
mpc->bp is 0x602000000096 first.
It try to do mqc->bp++,and set value in 0x602000000097
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Heap-buffer-overflow in lib/openjp2/mqc.c:499 #1283

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development