Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Strengthen integer overflow check in opj_pi_create_decode #825

Closed
wants to merge 13 commits into from
Closed

Strengthen integer overflow check in opj_pi_create_decode #825

wants to merge 13 commits into from

Conversation

trylab
Copy link
Contributor

@trylab trylab commented Sep 8, 2016

The crash still happens!!!

l_tcp->numlayers and l_step_l are both OPJ_UINT32 type variables. Thus using SIZE_MAX or ((size_t)-1) to check integer overflow is insufficient. We should use (OPJ_UINT32)-1 here.

trylab and others added 13 commits August 16, 2016 17:22
@trylab
Fix an integer overflow issue
713429b 
Prevent an integer overflow issue in function opj_pi_create_decode of
pi.c.
@trylab
Fix an integer overflow issue
7f703c6 
Making it more secure to call opj_calloc.
@trylab
Fix an integer overflow issue
a65c945 
Remove header file limits.h
@trylab
Fix an integer overflow issue
79a397d 
Replace OPJ_UINT32 with SIZE_MAX
@trylab
Fix integer overflow in opj_pi_create_decode
7816ec3 
Simplify code
@mayeut @trylab
Switch to clang 3.8 (#814)
5e4238f 
clang 3.9 is currently unavailable for precise through apt
@stweil @trylab
Add .gitignore (#787)
c9a4e2c 
Ignore all files and directories which are generated by `cmake . && make`.

Signed-off-by: Stefan Weil <[email protected]>
@mayeut @trylab
Change 'restrict' define to 'OPJ_RESTRICT' (#816)
51155a5 
Visual Studio 2015 does not pass regression tests with `__restrict` so kept disabled for MSVC.
Need to check proper usage of OPJ_RESTRICT (if correct then there’s
probably a bug  in vc14)

Closes #661
@mayeut @trylab
Add overflow check in opj_j2k_update_image_data (#817)
df41722
@mayeut @trylab
Fix leak & invalid behavior of opj_jp2_read_ihdr (#818)
24e6c30 
In case multiple ihdr box are present, only the first one shall be
taken into account.
@trylab
Merge remote-tracking branch 'refs/remotes/uclouvain/master'
7a8209a
@trylab
Merge remote-tracking branch 'upstream/master'
865da86
@trylab
Strengthen integer overflow check in opj_pi_create_decode
2cbad4f 
l_tcp->numlayers and l_step_l are both OPJ_UINT32 type variables. Thus
using SIZE_MAX or ((size_t)-1) to check integer overflow is
insufficient. We should use (OPJ_UINT32)-1 here.
@trylab trylab mentioned this pull request Sep 8, 2016
Merged
@stweil
Copy link
Contributor

stweil commented Sep 8, 2016

Could you please test the current code with this modification:

l_current_pi->include = (OPJ_INT16*) opj_calloc(((size_t)l_tcp->numlayers +1) * l_step_l, sizeof(OPJ_INT16));

The type cast is needed because otherwise addition and multiplication are done using 32 bit. The result is converted to size_t and passed to opj_calloc.

@mayeut
Copy link
Collaborator

mayeut commented Sep 8, 2016
edited
Loading

@trylab,

@stweil is right see ef01f18

Once verified with latest commit, could you share your POC file so that it can be added to the test suite please.

@trylab
Copy link
Contributor Author

trylab commented Sep 8, 2016

@mayeut I opened (and closed) a issue to track it. You can get a POC at #826

@mayeut
Copy link
Collaborator

mayeut commented Sep 8, 2016

Adding data to the test suite in progress.
Thanks

@mayeut mayeut closed this Sep 8, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@trylab @stweil @mayeut