'[oss-security] openjpeg: invalid memory write in tgatoimage (convert.c)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] openjpeg: invalid memory write in tgatoimage (convert.c)
From:       "Agostino Sarubbo" <ago () gentoo ! org>
Date:       2017-08-28 14:29:32
Message-ID: 1380.82969667153-sendEmail () localhost
[Download RAW message or body]

------MIME delimiter for sendEmail-601006.632977263
Content-Type: text/plain;
        charset="UTF-8"
Content-Transfer-Encoding: 7bit

Description:
openjpeg is an open-source JPEG 2000 library.

The complete ASan output of the issue:

# opj_compress -r 20,10,1 -jpip -EPH -SOP -cinema2K 24 -n 1 -i $FILE -o null.j2k
ASAN:DEADLYSIGNAL                                                                               \
 =================================================================                              \
 ==13239==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4f2e9b4800 (pc 0x00000052264a bp \
0x7ffff176def0 sp 0x7ffff176dde0 T0)                                                            \
 ==13239==The signal is caused by a WRITE memory access.                                        \
  #0 0x522649 in tgatoimage \
/var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/convert.c:928:45       \
  #1 0x50b4e6 in main \
/var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/opj_compress.c:1881:21 \
  #2 0x7f5de2316680 in __libc_start_main \
/var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289             \
  #3 0x41bc18 in _start (/usr/bin/opj_compress+0x41bc18)                                        \
  
AddressSanitizer can not provide additional info.                                               \
                
SUMMARY: AddressSanitizer: SEGV \
/var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/convert.c:928:45 in \
tgatoimage                                                                            \
==13239==ABORTING                                                                               \
 CINEMA 2K profile activated                                                                    \
 Other options specified could be overridden

Affected version:
Master at 2017-08-17 and maybe paste releases

Fixed version:
N/A

Commit fix:
https://github.com/uclouvain/openjpeg/commit/2cd30c2b06ce332dede81cccad8b334cde997281

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
Waiting for a CVE assignment

Reproducer:
https://github.com/asarubbo/poc/blob/master/00326-openjpeg-invalidwrite-tgatoimage

Timeline:
2017-08-17: bug discovered and reported to upstream
2017-08-28: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported \
by the Core Infrastructure Initiative.

Permalink:
https://blogs.gentoo.org/ago/2017/08/28/openjpeg-invalid-memory-write-in-tgatoimage-convert-c/

--
Agostino Sarubbo
Gentoo Linux Developer


------MIME delimiter for sendEmail-601006.632977263--


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic