Stack buffer overflow in `opj_decompress` `-OutFor` option parsing

[Bin-infinite]

This report was generated by AI and manually verified.

Summary

src/bin/jp2/opj_decompress.c::parse_cmdline_decoder
copies the user-controlled -OutFor argument into a fixed 50-byte stack buffer
using sprintf. An oversized -OutFor value overflows the outformat buffer
before image decoding starts.

The issue was reproduced by running the sanitizer-built opj_decompress
executable. ASan reports a stack-buffer-overflow in parse_cmdline_decoder at
src/bin/jp2/opj_decompress.c:699.

Affected Code

• File: src/bin/jp2/opj_decompress.c
• Function: parse_cmdline_decoder
• Option: -OutFor
• Vulnerable buffer: char outformat[50]
• Vulnerable call: sprintf(outformat, ".%s", of)

Impact

A local command-line argument can corrupt stack memory in opj_decompress.
Because the vulnerable path is reached during option parsing, no valid image
input is required.

Reproduction

PoC and evidence are available under:

• Payload: outfor_128.txt
• Payload SHA-256: 63af390d9b5d360782708d94d00f7832ee0b296e0988340fdce06b7e8a6b6024
• Run script: run_outfor_overflow.sh

Run:

payload="$(tr -d '\n' < row-validation-output/case-005/inputs/outfor_128.txt)"
ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \
  build/bin/opj_decompress -OutFor "$payload"

The project accepts this option with a single hyphen (-OutFor).

Sanitizer Evidence

Representative ASan output:

=================================================================
==1260158==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7d5585300202
WRITE of size 130 at 0x7d5585300202 thread T0
    #0 0x641034e315ff in vsprintf (.../build/bin/opj_decompress+0x9b5ff)
    #1 0x641034e326fe in sprintf (.../build/bin/opj_decompress+0x9c6fe)
    #2 0x641034ee6882 in parse_cmdline_decoder /home/kery-qi/yf/openjpeg/src/bin/jp2/opj_decompress.c:699:13
    #3 0x641034eea375 in main /home/kery-qi/yf/openjpeg/src/bin/jp2/opj_decompress.c:1365:9

Address 0x7d5585300202 is located in stack of thread T0 at offset 514 in frame
    #0 0x641034ee6387 in parse_cmdline_decoder /home/kery-qi/yf/openjpeg/src/bin/jp2/opj_decompress.c:597

  This frame has 6 object(s):
    [464, 514) 'outformat' (line 697) <== Memory access at offset 514 overflows this variable

SUMMARY: AddressSanitizer: stack-buffer-overflow (.../build/bin/opj_decompress+0x9b5ff) in vsprintf

The overflow was reproduced in repeated executable runs.

Root Cause

The -OutFor option value is fully controlled by the caller. The code prepends
a dot and writes it into outformat[50] using unbounded sprintf, so any value
longer than the available buffer capacity overflows the stack object.

Suggested Fix

Replace the unbounded sprintf with checked formatting. For example, reject
values where strlen(of) + 2 > sizeof(outformat), or use a bounded format call
and treat truncation as an option parsing error.