Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Sep 2016 20:41:43 +0800
From: vul@...safe <vul@...safe.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - openjpeg null ptr dereference

# Vulnerability
openjpeg null ptr dereference in convert.c:1331

# Version
2.1.1  ( http://www.openjpeg.org/ )

# Address Sanitizer Output
ASAN:SIGSEGV
=================================================================
==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
0x0815d204 bp 0xff846938 sp 0xff846380 T0)
    #0 0x815d203 in skip_white
/home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
    #1 0x8135d81 in main
/home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
    #2 0xf7343636 in __libc_start_main ??:?
    #3 0x807a31b in _start ??:?

# PoC
See poc.ppm

# Analysis
In convert.c:1483 and convert.c:1485, variable s is uncheck after
skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr
dereference.

# Report Timeline
2016-09-16: FB3F15 of STARLAB discovered this issue
2016-09-18:Patch released

# Credit
FB3F15 of STARLAB

# PoC
https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm

# External link
https://github.com/uclouvain/openjpeg/issues/843



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ