oss-sec mailing list archives
Re: CVE request - openjpeg null ptr dereference
From: Robert Święcki <robert () swiecki net>
Date: Sun, 18 Sep 2016 15:23:32 +0200
Hi, 2016-09-18 14:41 GMT+02:00 vul@724safe <vul () 724safe com>:
# Vulnerability
Would you have an idea who (and how) is exactly *vulnerable* to this specific vulnerability?
openjpeg null ptr dereference in convert.c:1331 # Version 2.1.1 ( http://www.openjpeg.org/ ) # Address Sanitizer Output ASAN:SIGSEGV ================================================================= ==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0815d204 bp 0xff846938 sp 0xff846380 T0) #0 0x815d203 in skip_white /home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331 #1 0x8135d81 in main /home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723 #2 0xf7343636 in __libc_start_main ??:? #3 0x807a31b in _start ??:? # PoC See poc.ppm # Analysis In convert.c:1483 and convert.c:1485, variable s is uncheck after skip_int is called. A null ptr will be passed to skip_int again and will cause a null ptr dereference. # Report Timeline 2016-09-16: FB3F15 of STARLAB discovered this issue 2016-09-18:Patch released # Credit FB3F15 of STARLAB # PoC https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm # External link https://github.com/uclouvain/openjpeg/issues/843
-- Robert Święcki
Current thread:
- CVE request - openjpeg null ptr dereference vul (Sep 18)
- Re: CVE request - openjpeg null ptr dereference Robert Święcki (Sep 18)
- Re: CVE request - openjpeg null ptr dereference cve-assign (Sep 18)