Malicious files can cause the program to enter a large loop

[pic4xiu]

Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal.

Expected behavior and actual behavior.

Program file format error, parsing failed~

But the program enters a big loop and keeps printing in the terminal:

...
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
...

I tested it with ubuntu, and the program ran for more than 4 hours.

Steps to reproduce the problem.

the poc is here

Run: opj_decompress -i bigloop -o te.raw

Maybe the memory must be at least greater than 8g to ensure successful reproduction.

Operating system

Ubuntu, macos, windows are all available

openjpeg version

OpenJPEG 2.5.0

[pedrohc]

CVE-2023-39327 was assigned to this flaw. If you wish to dispute or reject please let me know.

[fundawang]

could anyone confirm that this issue was fixed by pull#1547?

[jubalh]

@fundawang the POC is mentioned above. Just run it and report back.

[mayeut]

The pull request confirms that it's not fixed in its description. A slight modification of the PoC allows to trigger the behavior.

[tariqmchoudhry]

Does anyone has a work around or a fix ready for this issues?

[anthonymingo]

Is there a fix for this issue yet or will there be one forthcoming anytime soon? Opening a CVE for an issue and letting it hang out for months/years is not really helpful for applications/companies that are using OpenJPEG and are required to react to those CVEs in a specific timeframe.

[rouault]

Opening a CVE for an issue and letting it hang out for months/years is not really helpful for applications/companies that are using OpenJPEG and are required to react to those CVEs in a specific timeframe.

How many $$$$$$ do they offer to fix it ? As far as I'm concerned, I don't care at all about companies using OpenJPEG. That's their problem, not mine.

[sebras]

The pull request confirms that it's not fixed in its description. A slight modification of the PoC allows to trigger the behavior.

@mayeut can you provide the file with that slight modification? also how did you know what to alter in the file?

[tariqmchoudhry]

How is OpenJPEG being invoked with these POC images? I have attempted to embed POC image(s) in a PDF file and Adobe rejects it right away, no loops no issues.

[fuowang]

The pull request confirms that it's not fixed in its description. A slight modification of the PoC allows to trigger the behavior.

@mayeut can you provide the file with that slight modification? also how did you know what to alter in the file?
Thanks!

[mayeut]

I did not keep the file. see #1547 (comment) for the modification required.

[xcawolfe-amzn]

Hi All, I looking to see if this PR could help with this issue #1616, lmk what you all think.