Integer Overflow at j2k.c:9614

[headshog]

Hi! I've been fuzzing openjpeg with sydr-fuzz security predicates and I found integer overflow error in j2k.c:9614.

In function opj_j2k_read_tile_header at line 9614 integer overflow occurs when value l_marker_size + 2 is subtracted from variable p_j2k->m_specific_param.m_decoder.m_sot_length and value from this variable is less than l_marker_size + 2. So here i decided just to add a checker for valid data.

Environment

• OS: ubuntu 20.04
• commit: 70e6263

How to reproduce this error

1. Build docker container:

   sudo docker build -t oss-sydr-fuzz-openjpeg .
   

2. Run docker container:

   sudo docker run --privileged --network host -v /etc/localtime:/etc/localtime:ro --rm -it -v $PWD:/fuzz oss-sydr-fuzz-openjpeg /bin/bash
   

3. Run on the following input:

    /opj_decompress_fuzzer_JP2_fuzz sydr_j2k.txt
   

4. Output:

   /home/ubuntu/headshog/openjpeg_build/openjpeg/src/lib/openjp2/j2k.c:9614:64: runtime error: unsigned integer overflow: 147 - 149 cannot be represented in type 'unsigned int'
   SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /home/ubuntu/headshog/openjpeg_build/openjpeg/src/lib/openjp2/j2k.c:9614:64
   

[rouault]

the macos failure is unrelated and will be fixed per #1531