Integer Overflow at j2k.c:3962

[headshog]

Hi! We've been fuzzing openjpeg with sydr-fuzz security predicates and we found integer overflow error in j2k.c:3962.

In function opj_j2k_merge_ppm at line 3962 integer overflow occurs in variable l_ppm_data_size (the value of l_N_ppm was 4294967295). Also there is a comment that says it can't overflow, but l_N_ppm (returned from opj_read_bytes) turned out to be too big. So I've just added a checked for that overflow, but maybe it is also possible to check for its validity in opj_read_byte.

Environment

• OS: ubuntu 20.04
• commit: 6af3931

How to reproduce this error

1. Build docker container:

   sudo docker build -t oss-sydr-fuzz-openjpeg .
   

2. Run docker container:

   sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-openjpeg /bin/bash
   

3. Run on the following input:

    /opj_decompress_fuzzer_J2K_fuzz  sydr_j2k_data.txt
   

4. Output:

   /openjpeg/src/lib/openjp2/j2k.c:3962:37: runtime error: unsigned integer overflow: 1150 + 4294967295 cannot be represented in type 'unsigned int'
   SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /openjpeg/src/lib/openjp2/j2k.c:3962:37