oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request - openjpeg null ptr dereference

From: vul@724safe <vul () 724safe com>
Date: Sun, 18 Sep 2016 20:41:43 +0800
# Vulnerability
openjpeg null ptr dereference in convert.c:1331

# Version
2.1.1  ( http://www.openjpeg.org/ )

# Address Sanitizer Output
ASAN:SIGSEGV
=================================================================
==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
0x0815d204 bp 0xff846938 sp 0xff846380 T0)
    #0 0x815d203 in skip_white
/home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
    #1 0x8135d81 in main
/home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
    #2 0xf7343636 in __libc_start_main ??:?
    #3 0x807a31b in _start ??:?

# PoC
See poc.ppm

# Analysis
In convert.c:1483 and convert.c:1485, variable s is uncheck after
skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr
dereference.

# Report Timeline
2016-09-16: FB3F15 of STARLAB discovered this issue
2016-09-18:Patch released

# Credit
FB3F15 of STARLAB

# PoC
https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm

# External link
https://github.com/uclouvain/openjpeg/issues/843
Previous By Date Next
Previous By Thread Next

Current thread: