Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Sep 2016 20:41:43 +0800
From: vul@...safe <vul@...safe.com>
To: oss-security@...ts.openwall.com
Subject: CVE request - openjpeg null ptr dereference

# Vulnerability
openjpeg null ptr dereference in convert.c:1331

# Version
2.1.1  ( http://www.openjpeg.org/ )

# Address Sanitizer Output
ASAN:SIGSEGV
=================================================================
==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc
0x0815d204 bp 0xff846938 sp 0xff846380 T0)
    #0 0x815d203 in skip_white
/home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
    #1 0x8135d81 in main
/home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
    #2 0xf7343636 in __libc_start_main ??:?
    #3 0x807a31b in _start ??:?

# PoC
See poc.ppm

# Analysis
In convert.c:1483 and convert.c:1485, variable s is uncheck after
skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr
dereference.

# Report Timeline
2016-09-16: FB3F15 of STARLAB discovered this issue
2016-09-18:Patch released

# Credit
FB3F15 of STARLAB

# PoC
https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm

# External link
https://github.com/uclouvain/openjpeg/issues/843



Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.