oss-sec mailing list archives

CVE Request: OpenJPEG Heap Buffer Overflow Issue

From: winsonliu(刘科) <winsonliu () tencent com>
Date: Thu, 8 Sep 2016 03:13:15 +0000
Hi,

This is Ke from Tencent's Xuanwu LAB. I reported a security issue of OpenJPEG some days ago and it has been fixed now. 
The fix is available at https://github.com/uclouvain/openjpeg/commit/e078172b1c3f98d2219c37076b238fb759c751ea . Could 
you please assign a CVE number for it?

Thanks.

Regards,
Ke
Tencent's Xuanwu LAB


DESCRIPTION
==============
A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in function opj_dwt_interleave_v of dwt.c. This 
vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenJPEG.


CREDIT
==============
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.


TESTED VERSION
==============
Master version of OpenJPEG (4a2a869)


EXCEPTION LOG
==============
==5576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4f0197c at pc 0xb748f7e3 bp 0xbf9c1d38 sp 0xbf9c1d30
WRITE of size 4 at 0xb4f0197c thread T0
    #0 0xb748f7e2 in opj_dwt_interleave_v src/lib/openjp2/dwt.c:268:7
    #1 0xb74761ee in opj_dwt_decode_tile src/lib/openjp2/dwt.c:609:4
    #2 0xb7474108 in opj_dwt_decode src/lib/openjp2/dwt.c:477:9
    #3 0xb77329e2 in opj_tcd_dwt_decode src/lib/openjp2/tcd.c:1619:31
    #4 0xb772ffcc in opj_tcd_decode_tile src/lib/openjp2/tcd.c:1306:20
    #5 0xb74e9a0e in opj_j2k_decode_tile src/lib/openjp2/j2k.c:8134:15
    #6 0xb7575354 in opj_j2k_decode_tiles src/lib/openjp2/j2k.c:9761:23
    #7 0xb74cee4c in opj_j2k_exec src/lib/openjp2/j2k.c:7350:43
    #8 0xb750578b in opj_j2k_decode src/lib/openjp2/j2k.c:9959:15
    #9 0xb75ca0de in opj_jp2_decode src/lib/openjp2/jp2.c:1492:8
    #10 0xb7634eb8 in opj_decode src/lib/openjp2/openjpeg.c:412:10
    #11 0x8140304 in main src/bin/jp2/opj_decompress.c:1332:10
    #12 0xb71cbaf2 in __libc_start_main /build/eglibc-X4bnBz/eglibc-2.19/csu/libc-start.c:287
    #13 0x80781eb in _start (bin/opj_decompress+0x80781eb)

0xb4f0197c is located 4 bytes to the left of 1028-byte region [0xb4f01980,0xb4f01d84)
allocated by thread T0 here:
    #0 0x8110949 in __interceptor_posix_memalign (bin/opj_decompress+0x8110949)
    #1 0xb77533dc in opj_aligned_alloc_n src/lib/openjp2/opj_malloc.c:61:7
    #2 0xb7752ed3 in opj_aligned_malloc src/lib/openjp2/opj_malloc.c:208:10
    #3 0xb7474d08 in opj_dwt_decode_tile src/lib/openjp2/dwt.c:576:22
    #4 0xb7474108 in opj_dwt_decode src/lib/openjp2/dwt.c:477:9
    #5 0xb77329e2 in opj_tcd_dwt_decode src/lib/openjp2/tcd.c:1619:31
    #6 0xb772ffcc in opj_tcd_decode_tile src/lib/openjp2/tcd.c:1306:20
    #7 0xb74e9a0e in opj_j2k_decode_tile src/lib/openjp2/j2k.c:8134:15
    #8 0xb7575354 in opj_j2k_decode_tiles src/lib/openjp2/j2k.c:9761:23
    #9 0xb74cee4c in opj_j2k_exec src/lib/openjp2/j2k.c:7350:43
    #10 0xb750578b in opj_j2k_decode src/lib/openjp2/j2k.c:9959:15
    #11 0xb75ca0de in opj_jp2_decode src/lib/openjp2/jp2.c:1492:8
    #12 0xb7634eb8 in opj_decode src/lib/openjp2/openjpeg.c:412:10
    #13 0x8140304 in main src/bin/jp2/opj_decompress.c:1332:10
    #14 0xb71cbaf2 in __libc_start_main /build/eglibc-X4bnBz/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow src/lib/openjp2/dwt.c:268 opj_dwt_interleave_v
Shadow bytes around the buggy address:
  0x369e02d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e02e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e0310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x369e0320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x369e0330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5576==ABORTING
Current thread:

CVE Request: OpenJPEG Heap Buffer Overflow Issue 刘科 (Sep 07)
- Re: CVE Request: OpenJPEG Heap Buffer Overflow Issue cve-assign (Sep 07)
  - Re: Re: CVE Request: OpenJPEG Heap Buffer Overflow Issue(Internet mail) 刘科 (Sep 08)