Integer Overflow in openjpeg/openjp2/image.c #22284
Description
System information (version)
- OpenCV version => a42b355 (4.x)
- Operating System => Ubuntu 20.04
- Compiler => clang-14
Detailed description
Hi! We've been fuzzing your project and found integer overflow error in your 3d party project openjpeg in opencv/3rdparty/openjpeg/openjp2/image.c:134:
l_y1 = p_cp->ty0 + (p_cp->th - 1U) * p_cp->tdy; /* can't overflow */
Overflow occurs both in addition and multiplication operations. Comment says overflow cannot occur, but actually it can.
Steps to reproduce
-
Build docker container from here: https://github.com/ispras/oss-sydr-fuzz/tree/master/projects/opencv
sudo docker build -t oss-sydr-fuzz-opencv . -
Run docker container:
sudo docker run --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-opencv /bin/bash -
Run
imdecode_fuzzertarget on pinned input
sydr_b9c0c566285af1d73e93f3e8ba9f4c3a06df0215_int_overflow_24_unsigned.txt/out/imdecode_fuzzer /fuzz/imdecode-out/security-verified/sydr_b9c0c566285af1d73e93f3e8ba9f4c3a06df0215_int_overflow_24_unsigned -
You will see following sanitizer output:
/opencv/3rdparty/openjpeg/openjp2/image.c:134:40: runtime error: unsigned integer overflow: 2 * 4278190076 cannot be represented in type 'unsigned int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /opencv/3rdparty/openjpeg/openjp2/image.c:134:40 in /opencv/3rdparty/openjpeg/openjp2/image.c:134:22: runtime error: unsigned integer overflow: 50331631 + 4261412856 cannot be represented in type 'unsigned int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /opencv/3rdparty/openjpeg/openjp2/image.c:134:22 in