oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Out-of-bounds Read in the OpenJpeg's opj_j2k_update_image_data and opj_tgt_reset function

From: limingxing <limingxing () 360 cn>
Date: Mon, 18 Jan 2016 10:33:40 +0000

Hello,
We find two vulnerabilities in the way OpenJpeg's opj_j2k_update_image_data and opj_tgt_reset function  parsed certain 
JPEG 2000 image files.
I was successful in reproducing these issues in the latest version of openjpeg  (https://github.com/uclouvain/openjpeg, 
2016.1.18).

The crash info about opj_j2k_update_image_data function was:
==1630==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb48010d8 at pc 0x8184862 bp 0xbfff8e58 sp 0xbfff8e50
READ of size 4 at 0xb48010d8 thread T0
==1630==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x8184861 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8184861)

0xb48010d8 is located 0 bytes to the right of 56-byte region [0xb48010a0,0xb48010d8)
allocated by thread T0 here:
    #0 0x80b5f8e (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x80b5f8e)
    #1 0x81ba220 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81ba220)
    #2 0x8273db1 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8273db1)
    #3 0x827c023 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x827c023)
    #4 0x81e0709 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81e0709)
    #5 0x8212cba (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x8212cba)
    #6 0x82cc849 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x82cc849)
    #7 0x81ac9b6 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x81ac9b6)
    #8 0x80dc56e (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x80dc56e)
    #9 0xb7da2a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
  0x369001c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369001d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369001e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369001f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36900200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36900210: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x36900220: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x36900230: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
  0x36900240: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x36900250: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
  0x36900260: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==1630==ABORTING
[Inferior 1 (process 1630) exited with code 01]

The crash info about opj_tgt_reset function was:
ASAN:SIGSEGV
=================================================================
==1666==ERROR: AddressSanitizer: SEGV on unknown address 0x00008109 (pc 0x083b06c7 sp 0xbfa06420 bp 0xbfa065b8 T0)
==1666==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
    #0 0x83b06c6 (/home/r/fuzz3/openjpeg-master/bin/opj_decompress+0x83b06c6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==1666==ABORTING

These vulnerabilities ware found by Qihoo 360 Codesafe Team

Attachment: openjpeg_poc.zip
Description: openjpeg_poc.zip

Previous By Date Next
Previous By Thread Next

Current thread: