Skip to content

core: fix SEGV in param_qcd due to underflow when num_subbands is 0#267

Closed
bwendling wants to merge 1 commit intoaous72:masterfrom
bwendling:underflow
Closed

core: fix SEGV in param_qcd due to underflow when num_subbands is 0#267
bwendling wants to merge 1 commit intoaous72:masterfrom
bwendling:underflow

Conversation

@bwendling
Copy link
Copy Markdown

@bwendling bwendling commented Apr 13, 2026

In ojph::local::param_qcd::get_Kmax and
ojph::local::param_qcd::get_irrev_delta, a segmentation fault occurred when processing a QCD/QCC marker segment with zero subbands.

When num_subbands is 0, the condition idx >= num_subbands evaluates to true. The code then attempted to clamp the index using idx = num_subbands - 1. Since num_subbands is an unsigned 32-bit integer, this resulted in an integer underflow to 0xFFFFFFFF. Subsequent access to SPqcd.u8[idx] caused an out-of-bounds read and a crash.

This patch adds an explicit check for num_subbands == 0 within the bounds-checking logic. If no subbands are present, it now triggers an OJPH_ERROR to safely abort the operation, as a QCD/QCC segment without quantization step sizes is invalid.

Verified that this fix prevents the ASAN SEGV and passes the project's test suite.

Fixes: https://issues.oss-fuzz.com/issues/477315155
Co-authored-by: CodeMender codemender-patching@google.com
Signed-off-by: Bill Wendling morbo@google.com

@bwendling
core: fix SEGV in param_qcd due to underflow when num_subbands is 0
67ba461 
In `ojph::local::param_qcd::get_Kmax` and
`ojph::local::param_qcd::get_irrev_delta`, a segmentation fault occurred when
processing a QCD/QCC marker segment with zero subbands.

When `num_subbands` is 0, the condition `idx >= num_subbands` evaluates to
true. The code then attempted to clamp the index using `idx = num_subbands -
1`. Since `num_subbands` is an unsigned 32-bit integer, this resulted in an
integer underflow to `0xFFFFFFFF`. Subsequent access to `SPqcd.u8[idx]` caused
an out-of-bounds read and a crash.

This patch adds an explicit check for `num_subbands == 0` within the
bounds-checking logic. If no subbands are present, it now triggers an
`OJPH_ERROR` to safely abort the operation, as a QCD/QCC segment without
quantization step sizes is invalid.

Verified that this fix prevents the ASAN SEGV and passes the project's test
suite.

Fixes: https://issues.oss-fuzz.com/issues/477315155
Co-authored-by: CodeMender <codemender-patching@google.com>
Signed-off-by: Bill Wendling <morbo@google.com>
@aous72
Copy link
Copy Markdown
Owner

aous72 commented Apr 13, 2026

Hi Bill,

Thank you for putting this PR.

I wonder why this was not captured earlier when the QCD/QCC marker segments are read; there is a check in
https://github.com/bwendling/OpenJPH/blob/67ba46106f19494784decd4e74397eb331b9bf07/src/core/codestream/ojph_params.cpp#L1666
and
https://github.com/bwendling/OpenJPH/blob/67ba46106f19494784decd4e74397eb331b9bf07/src/core/codestream/ojph_params.cpp#L1726

This is worth more investigation. Perhaps, we take it offline.

Cheers,
Aous.

@bwendling
Copy link
Copy Markdown
Author

bwendling commented Apr 13, 2026

Hi Aous,

We (the CodeMender people) actually encountered this while performing fuzzy testing on the openexr project. It looks like they're using OpenJPH v0.26.3. The check you showed seems to be in newer code. This maybe d479df2?

If this PR is already covered by that check, then feel free to close this and I apologize for the spammage.

@aous72
Copy link
Copy Markdown
Owner

aous72 commented Apr 13, 2026

Thank you for the feedback.
I guess it is my fault. I should have released a new version.

@aous72
Copy link
Copy Markdown
Owner

aous72 commented Apr 13, 2026

Please reopen this if the problem persist. Thank you.

@aous72 aous72 closed this Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bwendling @aous72