oss-sec mailing list archives
Out-of-bounds Read in the OpenJpeg's opj_j2k_update_image_data and opj_tgt_reset function
From: limingxing <limingxing () 360 cn>
Date: Mon, 18 Jan 2016 10:33:40 +0000
Hello, We find two vulnerabilities in the way OpenJpeg's opj_j2k_update_image_data and opj_tgt_reset function parsed certain JPEG 2000 image files. I was successful in reproducing these issues in the latest version of openjpeg (https://github.com/uclouvain/openjpeg, 2016.1.18). The crash info about opj_j2k_update_image_data function was: ==1630==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb48010d8 at pc 0x8184862 bp 0xbfff8e58 sp 0xbfff8e50 READ of size 4 at 0xb48010d8 thread T0 ==1630==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x8184861 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8184861) 0xb48010d8 is located 0 bytes to the right of 56-byte region [0xb48010a0,0xb48010d8) allocated by thread T0 here: #0 0x80b5f8e (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x80b5f8e) #1 0x81ba220 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81ba220) #2 0x8273db1 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8273db1) #3 0x827c023 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x827c023) #4 0x81e0709 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81e0709) #5 0x8212cba (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8212cba) #6 0x82cc849 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x82cc849) #7 0x81ac9b6 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81ac9b6) #8 0x80dc56e (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x80dc56e) #9 0xb7da2a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x369001c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x369001d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x369001e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x369001f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36900200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36900210: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa 0x36900220: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x36900230: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa 0x36900240: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa 0x36900250: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 0x36900260: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==1630==ABORTING [Inferior 1 (process 1630) exited with code 01] The crash info about opj_tgt_reset function was: ASAN:SIGSEGV ================================================================= ==1666==ERROR: AddressSanitizer: SEGV on unknown address 0x00008109 (pc 0x083b06c7 sp 0xbfa06420 bp 0xbfa065b8 T0) ==1666==WARNING: Trying to symbolize code, but external symbolizer is not initialized! #0 0x83b06c6 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x83b06c6) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==1666==ABORTING These vulnerabilities ware found by Qihoo 360 Codesafe Team
Attachment:
openjpeg_poc.zip
Description: openjpeg_poc.zip
Current thread:
- Out-of-bounds Read in the OpenJpeg's opj_j2k_update_image_data and opj_tgt_reset function limingxing (Jan 18)