Skip to content

jp2ksave: prevent heap buffer overflow on non-RGB images#5030

Open
dloebl wants to merge 3 commits intolibvips:8.18from
dloebl:fix-jp2ksave-ycc-save-oob-read
Open

jp2ksave: prevent heap buffer overflow on non-RGB images#5030
dloebl wants to merge 3 commits intolibvips:8.18from
dloebl:fix-jp2ksave-ycc-save-oob-read

Conversation

@dloebl
Copy link
Copy Markdown
Contributor

@dloebl dloebl commented May 2, 2026
edited
Loading

Similar to #5020, there is an OOB read/write (heap buffer overflow) in the save_as_ycc path if the input image isn't RGB. The Bands == 3 check that is already present in vips__foreign_save_jp2k_compress has to be applied to the regular jp2ksave build as well:

libvips/libvips/foreign/jp2ksave.c

Line 1338 in 9bde113

save_as_ycc = save_as_ycc && region->im->Bands == 3;

Reproducer:

./build-asan/tools/vips black --bands 1 out.jp2"[subsample-mode=on]" 32 32

==74562==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000ac7 at pc 0x00010523b4d8 bp 0x00016bd76980 sp 0x00016bd76978
READ of size 1 at 0x61a000000ac7 thread T11
    #0 0x00010523b4d4 in vips_foreign_save_jp2k_rgb_to_ycc+0xd48 (libvips.42.dylib:arm64+0x474d4)
    #1 0x00010523d6e0 in vips_foreign_save_jp2k_write_block+0x36c (libvips.42.dylib:arm64+0x496e0)
    #2 0x000105695e6c in wbuffer_write_thread+0x134 (libvips.42.dylib:arm64+0x4a1e6c)
    #3 0x00010565c294 in vips_threadset_work+0x168 (libvips.42.dylib:arm64+0x468294)
    #4 0x00010565b230 in vips_thread_run+0x50 (libvips.42.dylib:arm64+0x467230)
    #5 0x0001048b58dc in g_thread_proxy+0x50 (libglib-2.0.0.dylib:arm64+0x558dc)
    #6 0x000105e02418 in asan_thread_start(void*)+0x4c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3a418)
    #7 0x00018d939c04 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x6c04)
    #8 0x00018d934ba4 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1ba4)

@dloebl dloebl force-pushed the fix-jp2ksave-ycc-save-oob-read branch from 0e43bca to 7eaec98 Compare May 2, 2026 19:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dloebl