This report was generated by AI and manually verified.
Summary
src/bin/jp2/opj_compress.c::parse_cmdline_encoder
copies the user-controlled -OutFor argument into a fixed 50-byte stack buffer
using sprintf. An oversized -OutFor value overflows the outformat buffer
during command-line parsing.
The issue was reproduced by running the sanitizer-built opj_compress
executable. ASan reports a stack-buffer-overflow in parse_cmdline_encoder at
src/bin/jp2/opj_compress.c:712.
Affected Code
- File:
src/bin/jp2/opj_compress.c
- Function:
parse_cmdline_encoder
- Option:
-OutFor
- Vulnerable buffer:
char outformat[50]
- Vulnerable call:
sprintf(outformat, ".%s", of)
Impact
A local command-line argument can corrupt stack memory in opj_compress.
The bug is in executable-contained CLI parser code and is reachable before any
image compression input is needed.
Reproduction
PoC and evidence are available under:
Run:
payload="$(tr -d '\n' < row-validation-output/case-006/inputs/outfor_arg.txt)"
ASAN_OPTIONS=abort_on_error=1:symbolize=1:detect_leaks=0:allocator_may_return_null=1 \
build/bin/opj_compress -OutFor "$payload"
The project accepts this option with a single hyphen (-OutFor).
Sanitizer Evidence
Representative ASan output:
=================================================================
==1257838==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x76fc0b200352
WRITE of size 66 at 0x76fc0b200352 thread T0
#0 0x61c6363255cf in vsprintf (.../build/bin/opj_compress+0x9c5cf)
#1 0x61c6363266ce in sprintf (.../build/bin/opj_compress+0x9d6ce)
#2 0x61c6363ddade in parse_cmdline_encoder /home/kery-qi/yf/openjpeg/src/bin/jp2/opj_compress.c:712:13
#3 0x61c6363d9058 in main /home/kery-qi/yf/openjpeg/src/bin/jp2/opj_compress.c:1970:9
Address 0x76fc0b200352 is located in stack of thread T0 at offset 850 in frame
#0 0x61c6363dbe87 in parse_cmdline_encoder /home/kery-qi/yf/openjpeg/src/bin/jp2/opj_compress.c:621
This frame has 22 object(s):
[800, 850) 'outformat' (line 710)
SUMMARY: AddressSanitizer: stack-buffer-overflow (.../build/bin/opj_compress+0x9c5cf) in vsprintf
The overflow was reproduced in three ASan-confirming executable runs.
Root Cause
The -OutFor option value is fully controlled by the caller. The code prepends
a dot and writes it into outformat[50] using unbounded sprintf, so an
oversized option value overflows the stack object.
Suggested Fix
Replace the unbounded sprintf with checked formatting. For example, reject
values where strlen(of) + 2 > sizeof(outformat), or use a bounded format call
and treat truncation as an option parsing error.
This report was generated by AI and manually verified.
Summary
src/bin/jp2/opj_compress.c::parse_cmdline_encodercopies the user-controlled
-OutForargument into a fixed 50-byte stack bufferusing
sprintf. An oversized-OutForvalue overflows theoutformatbufferduring command-line parsing.
The issue was reproduced by running the sanitizer-built
opj_compressexecutable. ASan reports a stack-buffer-overflow in
parse_cmdline_encoderatsrc/bin/jp2/opj_compress.c:712.Affected Code
src/bin/jp2/opj_compress.cparse_cmdline_encoder-OutForchar outformat[50]sprintf(outformat, ".%s", of)Impact
A local command-line argument can corrupt stack memory in
opj_compress.The bug is in executable-contained CLI parser code and is reachable before any
image compression input is needed.
Reproduction
PoC and evidence are available under:
343e5e20e286dac1872b65cc26fc875d6083f0724d359ba1b3ef47c2c7fe5aa4Run:
The project accepts this option with a single hyphen (
-OutFor).Sanitizer Evidence
Representative ASan output:
The overflow was reproduced in three ASan-confirming executable runs.
Root Cause
The
-OutForoption value is fully controlled by the caller. The code prependsa dot and writes it into
outformat[50]using unboundedsprintf, so anoversized option value overflows the stack object.
Suggested Fix
Replace the unbounded
sprintfwith checked formatting. For example, rejectvalues where
strlen(of) + 2 > sizeof(outformat), or use a bounded format calland treat truncation as an option parsing error.