[Pkg-phototools-devel] Bug#787275: libopenjpeg5: multiple SIGSEGV/SIGABRT crashes with fuzzed samples

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Sat May 30 19:24:30 UTC 2015 

Package: libopenjpeg5
Version: 1:1.5.2-3
Severity: important
Tags: security

Dear Maintainer,

I have several samples causing j2k_dump to crash in different ways.
I can provide these privately, but I'm not attaching them here,
because I don't think that making them public before the issues are
fixed would be a good idea.

Backtraces:
$ for f in *; do echo -e "\n\n\n *** $f *** \n\n\n"; gdb --batch -ex r -ex bt -ex q --args j2k_dump -i "$f"; done



 *** id_07cc0ea0b24a217441df652958ff4d93b50ae8f1.j2k *** 




[INFO] tile 1 of 5377

Program received signal SIGSEGV, Segmentation fault.
tgt_reset (tree=0x4300000000000000) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c:122
122	/tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c: No such file or directory.
#0  tgt_reset (tree=0x4300000000000000) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tgt.c:122
#1  0x00007ffff7bcdf43 in t2_decode_packet (t2=0x16dc8a0, t2=0x16dc8a0, tile=0x7ffff53e8010, pi=0x16dc8c0, pi=0x16dc8c0, pi=0x16dc8c0, pi=0x16dc8c0, pack_info=0x0, tcp=0x7ffff584c010, len=653, src=0x16cd661 "4\375\201") at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/t2.c:360
#2  t2_decode_packets (t2=t2 at entry=0x16dc8a0, src=src at entry=0x16cd600 "\300\374\300\200\001\307\300\374\300\200\a8\300~", len=len at entry=750, tileno=tileno at entry=0, tile=tile at entry=0x7ffff53e8010, cstr_info=cstr_info at entry=0x0) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/t2.c:741
#3  0x00007ffff7bd29ba in tcd_decode_tile (tcd=tcd at entry=0x60e1f0, src=0x16cd600 "\300\374\300\200\001\307\300\374\300\200\a8\300~", len=750, tileno=tileno at entry=0, cstr_info=0x0) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:1385
#4  0x00007ffff7bc12df in j2k_read_eoc (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:1695
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

	Inferior 1 [process 29104] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_36489c74785cf854b2fbadb38379f05fdf58b3cd.j2k *** 





Program received signal SIGSEGV, Segmentation fault.
tcd_malloc_decode_tile (tcd=tcd at entry=0x60e1f0, image=0x60e1b0, cp=0x60e0d0, tileno=<optimized out>, tileno at entry=0, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:839
839	/tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c: No such file or directory.
#0  tcd_malloc_decode_tile (tcd=tcd at entry=0x60e1f0, image=0x60e1b0, cp=0x60e0d0, tileno=<optimized out>, tileno at entry=0, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/tcd.c:839
#1  0x00007ffff7bc132c in j2k_read_eoc (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:1691
#2  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#3  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

	Inferior 1 [process 29197] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_c0ab4aa72114becf0cfe65d875541b71f33d5f71.j2k *** 




j2k_dump: /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:435: j2k_read_siz: Assertion `n_comps == image->numcomps' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7543107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff7543107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff75444e8 in __GI_abort () at abort.c:89
#2  0x00007ffff753c226 in __assert_fail_base (fmt=0x7ffff7672ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion at entry=0x7ffff7bd5cf7 "n_comps == image->numcomps", file=file at entry=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=line at entry=435, function=function at entry=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:92
#3  0x00007ffff753c2d2 in __GI___assert_fail (assertion=0x7ffff7bd5cf7 "n_comps == image->numcomps", file=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=435, function=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:101
#4  0x00007ffff7bc1263 in j2k_read_siz (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:435
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

	Inferior 1 [process 29263] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]



 *** id_f2a09bfee2caa7d4b0728e845056407ce15a1076.j2k *** 




j2k_dump: /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:433: j2k_read_siz: Assertion `(len - 36 - 2 ) % 3 == 0' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff7543107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007ffff7543107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff75444e8 in __GI_abort () at abort.c:89
#2  0x00007ffff753c226 in __assert_fail_base (fmt=0x7ffff7672ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion at entry=0x7ffff7bd5cde "(len - 36 - 2 ) % 3 == 0", file=file at entry=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=line at entry=433, function=function at entry=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:92
#3  0x00007ffff753c2d2 in __GI___assert_fail (assertion=0x7ffff7bd5cde "(len - 36 - 2 ) % 3 == 0", file=0x7ffff7bd6058 "/tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c", line=433, function=0x7ffff7bd6326 <__PRETTY_FUNCTION__.6066> "j2k_read_siz") at assert.c:101
#4  0x00007ffff7bc1244 in j2k_read_siz (j2k=0x60e050) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:433
#5  0x00007ffff7bc24c2 in j2k_decode (j2k=0x60e050, cio=0x60e170, cstr_info=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/libopenjpeg/j2k.c:2027
#6  0x0000000000401f2b in main (argc=<optimized out>, argv=<optimized out>) at /tmp/buildd/openjpeg-1.5.2/applications/codec/j2k_dump.c:458
A debugging session is active.

	Inferior 1 [process 29343] will be killed.

Quit anyway? (y or n) [answered Y; input not from terminal]


Best regards,
Andreas

More information about the Pkg-phototools-devel mailing list