Floating Point Errors

[rwhitworth]

Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the opj_decompress program on Linux. Is fixing the crashes from these input files something you're interested in? The input files can be found here: https://github.com/rwhitworth/openjpeg-fuzz/tree/master/2017-05-23.

The files can be executed as opj_decompress -i id_filename -o /tmp/output.tif to cause floating point exceptions. The version of opj_decompress was from commit 83d7a6d.

The three files from that repo to investigate for FPE are:
id:000019,sig:08,src:001098,op:flip1,pos:49
id:000026,sig:08,src:002419,op:int32,pos:60,val:+32
id:000098,sig:11,src:005411,op:havoc,rep:2

Each looks to be a different root cause. Valgrind output to follow.

Let me know if I can provide any more information to help narrow down this issue.

[rwhitworth]

id:000019,sig:08,src:001098,op:flip1,pos:49:

==4034051== Memcheck, a memory error detector
==4034051== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4034051== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4034051== Command: /root/openjpeg/build/bin/opj_decompress -i id:000019,sig:08,src:001098,op:flip1,pos:49 -o /tmp/output.tif
==4034051==
===========================================
The extension of this file is incorrect.
FOUND s:49. SHOULD BE .j2k or .jpc or .j2c
===========================================
==4034051==
==4034051== Process terminating with default action of signal 8 (SIGFPE)
==4034051==  Integer divide by zero at address 0x803FD30E7
==4034051==    at 0x4EA22C1: opj_pi_next_cprl (pi.c:564)
==4034051==    by 0x4EA22C1: opj_pi_next (pi.c:1938)
==4034051==    by 0x4ECF04C: opj_t2_decode_packets (t2.c:424)
==4034051==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4034051==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4034051==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4034051==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4034051==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4034051==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4034051==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4034051==    by 0x406312: main (opj_decompress.c:1435)
[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[INFO] Header of tile 1 / 1 has been read.
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected SOP marker
==4034051==
==4034051== HEAP SUMMARY:
==4034051==     in use at exit: 1,171,097 bytes in 139 blocks
==4034051==   total heap usage: 146 allocs, 7 frees, 1,173,361 bytes allocated
==4034051==
==4034051== LEAK SUMMARY:
==4034051==    definitely lost: 0 bytes in 0 blocks
==4034051==    indirectly lost: 0 bytes in 0 blocks
==4034051==      possibly lost: 0 bytes in 0 blocks
==4034051==    still reachable: 1,171,097 bytes in 139 blocks
==4034051==         suppressed: 0 bytes in 0 blocks
==4034051== Rerun with --leak-check=full to see details of leaked memory
==4034051==
==4034051== For counts of detected and suppressed errors, rerun with: -v
==4034051== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

id:000026,sig:08,src:002419,op:int32,pos:60,val:+32:

==4040734== Memcheck, a memory error detector
==4040734== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4040734== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4040734== Command: /root/openjpeg/build/bin/opj_decompress -i id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 -o /tmp/output.tif
==4040734==
===========================================
The extension of this file is incorrect.
FOUND :+32. SHOULD BE .j2k or .jpc or .j2c
===========================================
==4040734==
==4040734== Process terminating with default action of signal 8 (SIGFPE)
==4040734==  Integer divide by zero at address 0x803FD71EF
==4040734==    at 0x4EA0DA5: opj_pi_next_rpcl (pi.c:372)
==4040734==    by 0x4EA0DA5: opj_pi_next (pi.c:1934)
==4040734==    by 0x4ECF04C: opj_t2_decode_packets (t2.c:424)
==4040734==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4040734==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4040734==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4040734==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4040734==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4040734==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4040734==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4040734==    by 0x406312: main (opj_decompress.c:1435)
[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[INFO] Header of tile 1 / 1 has been read.
==4040734==
==4040734== HEAP SUMMARY:
==4040734==     in use at exit: 1,264,049 bytes in 157 blocks
==4040734==   total heap usage: 164 allocs, 7 frees, 1,266,313 bytes allocated
==4040734==
==4040734== LEAK SUMMARY:
==4040734==    definitely lost: 0 bytes in 0 blocks
==4040734==    indirectly lost: 0 bytes in 0 blocks
==4040734==      possibly lost: 0 bytes in 0 blocks
==4040734==    still reachable: 1,264,049 bytes in 157 blocks
==4040734==         suppressed: 0 bytes in 0 blocks
==4040734== Rerun with --leak-check=full to see details of leaked memory
==4040734==
==4040734== For counts of detected and suppressed errors, rerun with: -v
==4040734== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

id:000098,sig:11,src:005411,op:havoc,rep:2:

==4047654== Memcheck, a memory error detector
==4047654== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4047654== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==4047654== Command: /root/openjpeg/build/bin/opj_decompress -i id:000098,sig:11,src:005411,op:havoc,rep:2 -o /tmp/output.tif
==4047654==
===========================================
The extension of this file is incorrect.
FOUND ep:2. SHOULD BE .j2k or .jpc or .j2c
===========================================
==4047654== Invalid read of size 2
==4047654==    at 0x4EA0481: opj_pi_next_lrcp (pi.c:262)
==4047654==    by 0x4EA0481: opj_pi_next (pi.c:1930)
==4047654==    by 0x4ED027F: opj_t2_decode_packets (t2.c:424)
==4047654==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4047654==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4047654==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4047654==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4047654==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4047654==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4047654==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4047654==    by 0x406312: main (opj_decompress.c:1435)
==4047654==  Address 0x5eff17e is 2 bytes after a block of size 12 alloc'd
==4047654==    at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==4047654==    by 0x4EE37E6: opj_calloc (opj_malloc.c:204)
==4047654==    by 0x4E98975: opj_pi_create_decode (pi.c:1303)
==4047654==    by 0x4ECEEF7: opj_t2_decode_packets (t2.c:394)
==4047654==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4047654==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4047654==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4047654==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4047654==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4047654==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4047654==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4047654==    by 0x406312: main (opj_decompress.c:1435)
==4047654==
==4047654== Invalid write of size 2
==4047654==    at 0x4EA05A9: opj_pi_next_lrcp (pi.c:263)
==4047654==    by 0x4EA05A9: opj_pi_next (pi.c:1930)
==4047654==    by 0x4ED027F: opj_t2_decode_packets (t2.c:424)
==4047654==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4047654==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4047654==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4047654==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4047654==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4047654==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4047654==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4047654==    by 0x406312: main (opj_decompress.c:1435)
==4047654==  Address 0x5eff17e is 2 bytes after a block of size 12 alloc'd
==4047654==    at 0x4C2AD10: calloc (vg_replace_malloc.c:623)
==4047654==    by 0x4EE37E6: opj_calloc (opj_malloc.c:204)
==4047654==    by 0x4E98975: opj_pi_create_decode (pi.c:1303)
==4047654==    by 0x4ECEEF7: opj_t2_decode_packets (t2.c:394)
==4047654==    by 0x4EDA616: opj_tcd_t2_decode (tcd.c:1636)
==4047654==    by 0x4EDA616: opj_tcd_decode_tile (tcd.c:1386)
==4047654==    by 0x4E5EFD0: opj_j2k_decode_tile (j2k.c:8604)
==4047654==    by 0x4E76DDA: opj_j2k_decode_tiles (j2k.c:10303)
==4047654==    by 0x4E5B09D: opj_j2k_exec (j2k.c:7783)
==4047654==    by 0x4E63055: opj_j2k_decode (j2k.c:10522)
==4047654==    by 0x4E966B4: opj_decode (openjpeg.c:441)
==4047654==    by 0x406312: main (opj_decompress.c:1435)
==4047654==
ERROR -> opj_decompress: failed to decode image!
[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 1 has been read.
[ERROR] skip: segment too long (154) with max (44) for codeblock 3 (p=0, b=0, r=0, c=1)
[ERROR] Failed to decode.
[ERROR] Failed to decode tile 1/1
==4047654==
==4047654== HEAP SUMMARY:
==4047654==     in use at exit: 0 bytes in 0 blocks
==4047654==   total heap usage: 118 allocs, 118 frees, 1,173,145 bytes allocated
==4047654==
==4047654== All heap blocks were freed -- no leaks are possible
==4047654==
==4047654== For counts of detected and suppressed errors, rerun with: -v
==4047654== ERROR SUMMARY: 15 errors from 2 contexts (suppressed: 0 from 0)

[szukw000]

@rwhitworth ,

See: #882

opj_decompress -i id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17 -o test1.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000020,sig_06,src_001958,op_flip4,pos_149 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[1]:
[0] prec(2) sgnd(1) [1] prec(18) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000026,sig_08,src_002419,op_int32,pos_60,val_+32 -o test.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[INFO] Header of tile 1 / 1 has been read.
[INFO] Tile 1/1 has been decoded.
[INFO] Image data has been updated with tile 1.

/sources/LIB/IMAGE_FORMATS/OPENJPEG/VERSION-2.2/openjpeg2-2017-05-11-1/src/bin/common/color.c:350:color_sycc_to_rgb
CAN NOT CONVERT
imagetopng: All components shall have the same subsampling, same bit depth, same sign.
Aborting
[ERROR] Error generating png file. Outfile test.png not generated

opj_decompress -i id_000034,sig_11,src_003240,op_flip1,pos_22 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000098,sig_11,src_005411,op_havoc,rep_2 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000167,sig_11,src_006079,op_havoc,rep_4 -o test.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
ERROR -> opj_decompress: failed to decode image!

[szukw000]

@rwhitworth ,

See: #882

opj_decompress -i id_000004,sig_06,src_000679,op_arith8,pos_49,val_-17 -o test1.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000020,sig_06,src_001958,op_flip4,pos_149 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[1]:
[0] prec(2) sgnd(1) [1] prec(18) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000026,sig_08,src_002419,op_int32,pos_60,val_+32 -o test.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Psot value of the current tile-part is equal to zero, we assuming it is the last tile-part of the codestream.
[INFO] Header of tile 1 / 1 has been read.
[INFO] Tile 1/1 has been decoded.
[INFO] Image data has been updated with tile 1.

/sources/LIB/IMAGE_FORMATS/OPENJPEG/VERSION-2.2/openjpeg2-2017-05-11-1/src/bin/common/color.c:350:color_sycc_to_rgb
CAN NOT CONVERT
imagetopng: All components shall have the same subsampling, same bit depth, same sign.
Aborting
[ERROR] Error generating png file. Outfile test.png not generated

opj_decompress -i id_000034,sig_11,src_003240,op_flip1,pos_22 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000098,sig_11,src_005411,op_havoc,rep_2 -o test.png

[INFO] Start to read j2k main header (0).
[ERROR] Invalid precision and/or sgnd values for comp[2]:
[0] prec(18) sgnd(1) [2] prec(5) sgnd(1)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

opj_decompress -i id_000167,sig_11,src_006079,op_havoc,rep_4 -o test.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
ERROR -> opj_decompress: failed to decode image!

[rwhitworth]

It looks like this project is dead despite the activity. The Github Issues area is largely ignored and submitted patches like #882 are ignored for 6+ months.

#965 was a pretty good troll, honestly. topkek.

[rouault]

The issues with the 3 above mentioned files have now been fixed. Closing this ticket. Remaining files of https://github.com/rwhitworth/openjpeg-fuzz/tree/master/2017-05-23 are dealt by #939

Note: qualifying someone else's work as a "pretty good troll" isn't something I would expect in civil communication. I can understand the frustration for issues not being fixed or pull request reviewed in a timely fashion, but like every project, either volunteers or funded members have limited time and different priorities to manage. Keeping a good atmosphere is important so that people have motivation keeping invested time in the project. Thanks