Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 8 Sep 2016 03:13:15 +0000
From: winsonliu(刘科) <winsonliu@...cent.com>
To: oss-security <oss-security@...ts.openwall.com>
CC: cve-assign <cve-assign@...re.org>
Subject: CVE Request: OpenJPEG Heap Buffer Overflow Issue

Hi,

This is Ke from Tencent's Xuanwu LAB. I reported a security issue of OpenJPEG some days ago and it has been fixed now. The fix is available at https://github.com/uclouvain/openjpeg/commit/e078172b1c3f98d2219c37076b238fb759c751ea . Could you please assign a CVE number for it?

Thanks.

Regards,
Ke
Tencent's Xuanwu LAB


DESCRIPTION
==============
A Heap Buffer Overflow (Out-of-Bounds Write) issue was found in function opj_dwt_interleave_v of dwt.c. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenJPEG.


CREDIT
==============
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.


TESTED VERSION
==============
Master version of OpenJPEG (4a2a869)


EXCEPTION LOG
==============
==5576==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4f0197c at pc 0xb748f7e3 bp 0xbf9c1d38 sp 0xbf9c1d30
WRITE of size 4 at 0xb4f0197c thread T0
    #0 0xb748f7e2 in opj_dwt_interleave_v src/lib/openjp2/dwt.c:268:7
    #1 0xb74761ee in opj_dwt_decode_tile src/lib/openjp2/dwt.c:609:4
    #2 0xb7474108 in opj_dwt_decode src/lib/openjp2/dwt.c:477:9
    #3 0xb77329e2 in opj_tcd_dwt_decode src/lib/openjp2/tcd.c:1619:31
    #4 0xb772ffcc in opj_tcd_decode_tile src/lib/openjp2/tcd.c:1306:20
    #5 0xb74e9a0e in opj_j2k_decode_tile src/lib/openjp2/j2k.c:8134:15
    #6 0xb7575354 in opj_j2k_decode_tiles src/lib/openjp2/j2k.c:9761:23
    #7 0xb74cee4c in opj_j2k_exec src/lib/openjp2/j2k.c:7350:43
    #8 0xb750578b in opj_j2k_decode src/lib/openjp2/j2k.c:9959:15
    #9 0xb75ca0de in opj_jp2_decode src/lib/openjp2/jp2.c:1492:8
    #10 0xb7634eb8 in opj_decode src/lib/openjp2/openjpeg.c:412:10
    #11 0x8140304 in main src/bin/jp2/opj_decompress.c:1332:10
    #12 0xb71cbaf2 in __libc_start_main /build/eglibc-X4bnBz/eglibc-2.19/csu/libc-start.c:287
    #13 0x80781eb in _start (bin/opj_decompress+0x80781eb)

0xb4f0197c is located 4 bytes to the left of 1028-byte region [0xb4f01980,0xb4f01d84)
allocated by thread T0 here:
    #0 0x8110949 in __interceptor_posix_memalign (bin/opj_decompress+0x8110949)
    #1 0xb77533dc in opj_aligned_alloc_n src/lib/openjp2/opj_malloc.c:61:7
    #2 0xb7752ed3 in opj_aligned_malloc src/lib/openjp2/opj_malloc.c:208:10
    #3 0xb7474d08 in opj_dwt_decode_tile src/lib/openjp2/dwt.c:576:22
    #4 0xb7474108 in opj_dwt_decode src/lib/openjp2/dwt.c:477:9
    #5 0xb77329e2 in opj_tcd_dwt_decode src/lib/openjp2/tcd.c:1619:31
    #6 0xb772ffcc in opj_tcd_decode_tile src/lib/openjp2/tcd.c:1306:20
    #7 0xb74e9a0e in opj_j2k_decode_tile src/lib/openjp2/j2k.c:8134:15
    #8 0xb7575354 in opj_j2k_decode_tiles src/lib/openjp2/j2k.c:9761:23
    #9 0xb74cee4c in opj_j2k_exec src/lib/openjp2/j2k.c:7350:43
    #10 0xb750578b in opj_j2k_decode src/lib/openjp2/j2k.c:9959:15
    #11 0xb75ca0de in opj_jp2_decode src/lib/openjp2/jp2.c:1492:8
    #12 0xb7634eb8 in opj_decode src/lib/openjp2/openjpeg.c:412:10
    #13 0x8140304 in main src/bin/jp2/opj_decompress.c:1332:10
    #14 0xb71cbaf2 in __libc_start_main /build/eglibc-X4bnBz/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow src/lib/openjp2/dwt.c:268 opj_dwt_interleave_v
Shadow bytes around the buggy address:
  0x369e02d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e02e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e02f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e0300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x369e0310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x369e0320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x369e0330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x369e0370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5576==ABORTING

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.