oss-sec mailing list archives
CVE Request: OpenJPEG Heap Buffer Overflow Issue
From: winsonliu(刘科) <winsonliu () tencent com>
Date: Thu, 8 Sep 2016 03:13:15 +0000
Hi, This is Ke from Tencent's Xuanwu LAB. I reported a security issue of OpenJPEG some days ago and it has been fixed now. The fix is available at https://github.com/uclouvain/openjpeg/commit/e078172b1c3f98d2219c37076b238fb759c751ea . Could you please assign a CVE number for it? Thanks. Regards, Ke Tencent's Xuanwu LAB DESCRIPTION ============== A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in function opj_dwt_interleave_v of dwt.c. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenJPEG. CREDIT ============== This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. TESTED VERSION ============== Master version of OpenJPEG (4a2a869) EXCEPTION LOG ============== ==5576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4f0197c at pc 0xb748f7e3 bp 0xbf9c1d38 sp 0xbf9c1d30 WRITE of size 4 at 0xb4f0197c thread T0 #0 0xb748f7e2 in opj_dwt_interleave_v src/lib/openjp2/dwt.c:268:7 #1 0xb74761ee in opj_dwt_decode_tile src/lib/openjp2/dwt.c:609:4 #2 0xb7474108 in opj_dwt_decode src/lib/openjp2/dwt.c:477:9 #3 0xb77329e2 in opj_tcd_dwt_decode src/lib/openjp2/tcd.c:1619:31 #4 0xb772ffcc in opj_tcd_decode_tile src/lib/openjp2/tcd.c:1306:20 #5 0xb74e9a0e in opj_j2k_decode_tile src/lib/openjp2/j2k.c:8134:15 #6 0xb7575354 in opj_j2k_decode_tiles src/lib/openjp2/j2k.c:9761:23 #7 0xb74cee4c in opj_j2k_exec src/lib/openjp2/j2k.c:7350:43 #8 0xb750578b in opj_j2k_decode src/lib/openjp2/j2k.c:9959:15 #9 0xb75ca0de in opj_jp2_decode src/lib/openjp2/jp2.c:1492:8 #10 0xb7634eb8 in opj_decode src/lib/openjp2/openjpeg.c:412:10 #11 0x8140304 in main src/bin/jp2/opj_decompress.c:1332:10 #12 0xb71cbaf2 in __libc_start_main /build/eglibc-X4bnBz/eglibc-2.19/csu/libc-start.c:287 #13 0x80781eb in _start (bin/opj_decompress+0x80781eb) 0xb4f0197c is located 4 bytes to the left of 1028-byte region [0xb4f01980,0xb4f01d84) allocated by thread T0 here: #0 0x8110949 in __interceptor_posix_memalign (bin/opj_decompress+0x8110949) #1 0xb77533dc in opj_aligned_alloc_n src/lib/openjp2/opj_malloc.c:61:7 #2 0xb7752ed3 in opj_aligned_malloc src/lib/openjp2/opj_malloc.c:208:10 #3 0xb7474d08 in opj_dwt_decode_tile src/lib/openjp2/dwt.c:576:22 #4 0xb7474108 in opj_dwt_decode src/lib/openjp2/dwt.c:477:9 #5 0xb77329e2 in opj_tcd_dwt_decode src/lib/openjp2/tcd.c:1619:31 #6 0xb772ffcc in opj_tcd_decode_tile src/lib/openjp2/tcd.c:1306:20 #7 0xb74e9a0e in opj_j2k_decode_tile src/lib/openjp2/j2k.c:8134:15 #8 0xb7575354 in opj_j2k_decode_tiles src/lib/openjp2/j2k.c:9761:23 #9 0xb74cee4c in opj_j2k_exec src/lib/openjp2/j2k.c:7350:43 #10 0xb750578b in opj_j2k_decode src/lib/openjp2/j2k.c:9959:15 #11 0xb75ca0de in opj_jp2_decode src/lib/openjp2/jp2.c:1492:8 #12 0xb7634eb8 in opj_decode src/lib/openjp2/openjpeg.c:412:10 #13 0x8140304 in main src/bin/jp2/opj_decompress.c:1332:10 #14 0xb71cbaf2 in __libc_start_main /build/eglibc-X4bnBz/eglibc-2.19/csu/libc-start.c:287 SUMMARY: AddressSanitizer: heap-buffer-overflow src/lib/openjp2/dwt.c:268 opj_dwt_interleave_v Shadow bytes around the buggy address: 0x369e02d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x369e02e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x369e02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x369e0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x369e0310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x369e0320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x369e0330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x369e0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x369e0350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x369e0360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x369e0370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==5576==ABORTING
Current thread:
- CVE Request: OpenJPEG Heap Buffer Overflow Issue 刘科 (Sep 07)
- Re: CVE Request: OpenJPEG Heap Buffer Overflow Issue cve-assign (Sep 07)