Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap buffer overflow in libopenjp2 #1228

Closed
sebastianpoeplau opened this issue Jan 10, 2020 · 3 comments
Closed

Heap buffer overflow in libopenjp2 #1228

sebastianpoeplau opened this issue Jan 10, 2020 · 3 comments

Comments

@sebastianpoeplau
Copy link

Hi,

I found a heap buffer overflow that affects at least version 2.3.1 and current master (ac37373). On a regular build of openjpeg (in my case, the one shipped by Arch Linux), it leads to a crash; when building the project with address sanitizer, I get the following report:

$ bin/opj_decompress -i ../openjpeg_poc -o /tmp/image_verification.pgm

===========================================
The extension of this file is incorrect.
FOUND 1682. SHOULD BE .jp2
===========================================

[INFO] Start to read j2k main header (1277).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[INFO] Header of tile 1 / 33 has been read.
=================================================================
==31465==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000021c at pc 0x7fb82957229f bp 0x7ffe4b153d50 sp 0x7ffe4b153d48
WRITE of size 4 at 0x60700000021c thread T0
    #0 0x7fb82957229e in opj_t1_clbl_decode_processor (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x9f29e)
    #1 0x7fb8294e9a6c in opj_thread_pool_submit_job (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x16a6c)
    #2 0x7fb829566891 in opj_t1_decode_cblks (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x93891)
    #3 0x7fb8295b8790 in opj_tcd_decode_tile (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0xe5790)
    #4 0x7fb82951e632 in opj_j2k_decode_tile (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x4b632)
    #5 0x7fb829538e1e in opj_j2k_decode_tiles (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x65e1e)
    #6 0x7fb829524105 in opj_j2k_decode (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x51105)
    #7 0x7fb82954385b in opj_jp2_decode (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x7085b)
    #8 0x50e5d7 in main (/home/seba/tested_software/openjpeg_master/build_asan/bin/opj_decompress+0x50e5d7)
    #9 0x7fb82914d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #10 0x42f6f9 in _start (/home/seba/tested_software/openjpeg_master/build_asan/bin/opj_decompress+0x42f6f9)

0x60700000021c is located 0 bytes to the right of 60-byte region [0x6070000001e0,0x60700000021c)
allocated by thread T0 here:
    #0 0x4dbd79 in __interceptor_posix_memalign (/home/seba/tested_software/openjpeg_master/build_asan/bin/opj_decompress+0x4dbd79)
    #1 0x7fb8295c4f8f in opj_aligned_malloc (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0xf1f8f)
    #2 0x7fb8295b7b4a in opj_tcd_decode_tile (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0xe4b4a)
    #3 0x7fb82951e632 in opj_j2k_decode_tile (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x4b632)
    #4 0x7fb829538e1e in opj_j2k_decode_tiles (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x65e1e)
    #5 0x7fb829524105 in opj_j2k_decode (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x51105)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/seba/tested_software/openjpeg_master/build_asan/bin/libopenjp2.so.7+0x9f29e) in opj_t1_clbl_decode_processor
Shadow bytes around the buggy address:
  0x0c0e7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0e7fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e7fff8010: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff8020: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa 00 00
  0x0c0e7fff8030: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
=>0x0c0e7fff8040: 00 00 00[04]fa fa fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff8050: 00 04 fa fa fa fa fa fa 00 00 00 00 00 00 00 04
  0x0c0e7fff8060: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
  0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==31465==ABORTING

For the report, I built with Clang 8.0.1 on Debian stable, using CFLAGS=-fsanitize=address and CXXFLAGS=-fsanitize=address, and calling CMake with -DBUILD_THIRDPARTY=ON -DCMAKE_BUILD_TYPE=Release.

The crashing input is available here. Since I believe this may be exploitable, I would like to request a CVE.

Let me know if I can help with more information. Thank you!
rouault added a commit to rouault/openjpeg that referenced this issue Jan 11, 2020
@rouault
opj_j2k_update_image_dimensions(): reject images whose coordinates ar…
d7064fa 
…e beyond INT_MAX (fixes uclouvain#1228)
rouault added a commit that referenced this issue Jan 11, 2020
@rouault
Merge pull request #1229 from rouault/fix_1228
46c1eff 
opj_j2k_update_image_dimensions(): reject images whose coordinates are beyond INT_MAX (fixes #1228)
@sebastianpoeplau
Copy link
Author

Great, thanks for the fast reaction!

@sebastianpoeplau
Copy link
Author

CVE 2020-6851 was assigned.

@kloczek
Copy link

kloczek commented Jan 18, 2020

Any chance to make quickly new release after commitong that fix?

@sebastianpoeplau sebastianpoeplau mentioned this issue Jan 28, 2020
Closed
This was referenced Mar 12, 2020
Merged
Merged
Merged
andreafioraldi added a commit to andreafioraldi/oss-fuzz that referenced this issue Feb 17, 2021
@andreafioraldi
[openjpeg] Release cmake build type
6433d21 
Seems that some bugs in openjpeg can be triggered only in release mode.
More specifically, I was trying to reproduce uclouvain/openjpeg#1228 using the OSS-Fuzz harness and I failed.
I figured out that the bug is indeed reachable by the harness, but can be uncovered only in Release mode, otherwise, an assertion error blocks it.
I guess that they use assertions only in Debug mode (WTF) and remove them in Release.
So, IMO openjpeg should be fuzzed in Release mode as the configuration used in production is the one relevant for security.
@andreafioraldi andreafioraldi mentioned this issue Feb 17, 2021
Merged
inferno-chromium pushed a commit to google/oss-fuzz that referenced this issue Feb 18, 2021
@andreafioraldi
[openjpeg] Release cmake build type (#5209)
f682792 
Seems that some bugs in openjpeg can be triggered only in release mode.
More specifically, I was trying to reproduce uclouvain/openjpeg#1228 using the OSS-Fuzz harness and I failed.
I figured out that the bug is indeed reachable by the harness, but can be uncovered only in Release mode, otherwise, an assertion error blocks it.
I guess that they use assertions only in Debug mode (WTF) and remove them in Release.
So, IMO openjpeg should be fuzzed in Release mode as the configuration used in production is the one relevant for security.
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this issue Apr 29, 2022
@pmu-ipf
openjpeg: Update to version 2.4.0
ca98d29 
- Update from version 2.3.1 to 2.4.0
- Update of rootfile
- Changelog
    2.4.0
	**Closed issues:**
		- OPENJPEG\_INSTALL\_DOC\_DIR does not control a destination directory where HTML docs would be installed. [\#1309](uclouvain/openjpeg#1309)
		- Heap-buffer-overflow in lib/openjp2/pi.c:312 [\#1302](uclouvain/openjpeg#1302)
		- Heap-buffer-overflow in lib/openjp2/t2.c:973 [\#1299](uclouvain/openjpeg#1299)
		- Heap-buffer-overflow in lib/openjp2/pi.c:623 [\#1293](uclouvain/openjpeg#1293)
		- Global-buffer-overflow in lib/openjp2/dwt.c:1980 [\#1286](uclouvain/openjpeg#1286)
		- Heap-buffer-overflow in lib/openjp2/tcd.c:2417 [\#1284](uclouvain/openjpeg#1284)
		- Heap-buffer-overflow in lib/openjp2/mqc.c:499 [\#1283](uclouvain/openjpeg#1283)
		- Openjpeg could not encode 32bit RGB float image [\#1281](uclouvain/openjpeg#1281)
		- Openjpeg could not encode 32bit RGB float image [\#1280](uclouvain/openjpeg#1280)
		- ISO/IEC 15444-1:2019 \(E\) compared with 'cio.h' [\#1277](uclouvain/openjpeg#1277)
		- Test-suite failure due to hash mismatch [\#1264](uclouvain/openjpeg#1264)
		- Heap use-after-free [\#1261](uclouvain/openjpeg#1261)
		- Memory leak when failing to allocate object... [\#1259](uclouvain/openjpeg#1259)
		- Memory leak of Tier 1 handle when OpenJPEG fails to set it as TLS... [\#1257](uclouvain/openjpeg#1257)
		- Any plan to build release for CVE-2020-8112/CVE-2020-6851 [\#1247](uclouvain/openjpeg#1247)
		- failing to convert 16-bit file: opj\_t2\_encode\_packet\(\): only 5251 bytes remaining in output buffer. 5621 needed. [\#1243](uclouvain/openjpeg#1243)
		- CMake+VS2017 Compile OK, thirdparty Compile OK, but thirdparty not install [\#1239](uclouvain/openjpeg#1239)
		- New release to solve CVE-2019-6988 ? [\#1238](uclouvain/openjpeg#1238)
		- Many tests fail to pass after the update of libtiff to version 4.1.0 [\#1233](uclouvain/openjpeg#1233)
		- Another heap buffer overflow in libopenjp2 [\#1231](uclouvain/openjpeg#1231)
		- Heap buffer overflow in libopenjp2 [\#1228](uclouvain/openjpeg#1228)
		- Endianness of binary volume \(JP3D\) [\#1224](uclouvain/openjpeg#1224)
		- New release to resolve CVE-2019-12973 [\#1222](uclouvain/openjpeg#1222)
		- how to set the block size,like 128,256 ? [\#1216](uclouvain/openjpeg#1216)
		- compress YUV files to motion jpeg2000 standard [\#1213](uclouvain/openjpeg#1213)
		- Repair/update Java wrapper, and include in release [\#1208](uclouvain/openjpeg#1208)
		- abc [\#1206](uclouvain/openjpeg#1206)
		- Slow decoding [\#1202](uclouvain/openjpeg#1202)
		- Installation question [\#1201](uclouvain/openjpeg#1201)
		- Typo in test\_decode\_area - \*ptilew is assigned instead of \*ptileh [\#1195](uclouvain/openjpeg#1195)
		- Creating a J2K file with one POC is broken [\#1191](uclouvain/openjpeg#1191)
		- Make fails on Arch Linux [\#1174](uclouvain/openjpeg#1174)
		- Heap buffer overflow in opj\_t1\_clbl\_decode\_processor\(\) triggered with Ghostscript [\#1158](uclouvain/openjpeg#1158)
		- opj\_stream\_get\_number\_byte\_left: Assertion `p\_stream-\>m\_byte\_offset \>= 0' failed. [\#1151](uclouvain/openjpeg#1151)
		- The fuzzer ignores too many inputs [\#1079](uclouvain/openjpeg#1079)
		- out of bounds read [\#1068](uclouvain/openjpeg#1068)
	**Merged pull requests:**
		- Change defined WIN32 [\#1310](uclouvain/openjpeg#1310) ([Jamaika1](https://github.com/Jamaika1))
		- docs: fix simple typo, producted -\> produced [\#1308](uclouvain/openjpeg#1308) ([timgates42](https://github.com/timgates42))
		- Set ${OPENJPEG\_INSTALL\_DOC\_DIR} to DESTINATION of HTMLs [\#1307](uclouvain/openjpeg#1307) ([lemniscati](https://github.com/lemniscati))
		- Use INC\_DIR for OPENJPEG\_INCLUDE\_DIRS \(fixes uclouvain\#1174\) [\#1306](uclouvain/openjpeg#1306) ([matthew-sharp](https://github.com/matthew-sharp))
		- pi.c: avoid out of bounds access with POC \(fixes \#1302\) [\#1304](uclouvain/openjpeg#1304) ([rouault](https://github.com/rouault))
		- Encoder: grow again buffer size [\#1303](uclouvain/openjpeg#1303) ([zodf0055980](https://github.com/zodf0055980))
		- opj\_j2k\_write\_sod\(\): avoid potential heap buffer overflow \(fixes \#1299\) \(probably master only\) [\#1301](uclouvain/openjpeg#1301) ([rouault](https://github.com/rouault))
		- pi.c: avoid out of bounds access with POC \(refs https://github.com/uclouvain/openjpeg/issues/1293\#issuecomment-737122836\) [\#1300](uclouvain/openjpeg#1300) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1297, but likely not the proper fix [\#1298](uclouvain/openjpeg#1298) ([rouault](https://github.com/rouault))
		- opj\_t2\_encode\_packet\(\): avoid out of bound access of \#1294, but likely not the proper fix [\#1296](uclouvain/openjpeg#1296) ([rouault](https://github.com/rouault))
		- opj\_j2k\_setup\_encoder\(\): validate POC compno0 and compno1 \(fixes \#1293\) [\#1295](uclouvain/openjpeg#1295) ([rouault](https://github.com/rouault))
		- Encoder: avoid global buffer overflow on irreversible conversion when… [\#1292](uclouvain/openjpeg#1292) ([rouault](https://github.com/rouault))
		- Decoding: deal with some SPOT6 images that have tiles with a single tile-part with TPsot == 0 and TNsot == 0, and with missing EOC [\#1291](uclouvain/openjpeg#1291) ([rouault](https://github.com/rouault))
		- Free p\_tcd\_marker\_info to avoid memory leak [\#1288](uclouvain/openjpeg#1288) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: grow again buffer size [\#1287](uclouvain/openjpeg#1287) ([zodf0055980](https://github.com/zodf0055980))
		- Encoder: avoid uint32 overflow when allocating memory for codestream buffer \(fixes \#1243\) [\#1276](uclouvain/openjpeg#1276) ([rouault](https://github.com/rouault))
		- Java compatibility from 1.5 to 1.6 [\#1263](uclouvain/openjpeg#1263) ([jiapei100](https://github.com/jiapei100))
		- opj\_decompress: fix double-free on input directory with mix of valid and invalid images [\#1262](uclouvain/openjpeg#1262) ([rouault](https://github.com/rouault))
		- openjp2: Plug image leak when failing to allocate codestream index. [\#1260](uclouvain/openjpeg#1260) ([sebras](https://github.com/sebras))
		- openjp2: Plug memory leak when setting data as TLS fails. [\#1258](uclouvain/openjpeg#1258) ([sebras](https://github.com/sebras))
		- openjp2: Error out if failing to create Tier 1 handle. [\#1256](uclouvain/openjpeg#1256) ([sebras](https://github.com/sebras))
		- Testing for invalid values of width, height, numcomps [\#1254](uclouvain/openjpeg#1254) ([szukw000](https://github.com/szukw000))
		- Single-threaded performance improvements in forward DWT for 5-3 and 9-7 \(and other improvements\) [\#1253](uclouvain/openjpeg#1253) ([rouault](https://github.com/rouault))
		- Add support for multithreading in encoder [\#1248](uclouvain/openjpeg#1248) ([rouault](https://github.com/rouault))
		- Add support for generation of PLT markers in encoder [\#1246](uclouvain/openjpeg#1246) ([rouault](https://github.com/rouault))
		- Fix warnings about signed/unsigned casts in pi.c [\#1244](uclouvain/openjpeg#1244) ([rouault](https://github.com/rouault))
		- opj\_decompress: add sanity checks to avoid segfault in case of decoding error [\#1240](uclouvain/openjpeg#1240) ([rouault](https://github.com/rouault))
		- ignore wrong icc [\#1236](uclouvain/openjpeg#1236) ([szukw000](https://github.com/szukw000))
		- Implement writing of IMF profiles [\#1235](uclouvain/openjpeg#1235) ([rouault](https://github.com/rouault))
		- tests: add alternate checksums for libtiff 4.1 [\#1234](uclouvain/openjpeg#1234) ([rouault](https://github.com/rouault))
		- opj\_tcd\_init\_tile\(\): avoid integer overflow [\#1232](uclouvain/openjpeg#1232) ([rouault](https://github.com/rouault))
		- tests/fuzzers: link fuzz binaries using $LIB\_FUZZING\_ENGINE. [\#1230](uclouvain/openjpeg#1230) ([Dor1s](https://github.com/Dor1s))
		- opj\_j2k\_update\_image\_dimensions\(\): reject images whose coordinates are beyond INT\_MAX \(fixes \#1228\) [\#1229](uclouvain/openjpeg#1229) ([rouault](https://github.com/rouault))
		- Fix resource leaks [\#1226](uclouvain/openjpeg#1226) ([dodys](https://github.com/dodys))
		- abi-check.sh: fix false postive ABI error, and display output error log [\#1218](uclouvain/openjpeg#1218) ([rouault](https://github.com/rouault))
		- pi.c: avoid integer overflow, resulting in later invalid access to memory in opj\_t2\_decode\_packets\(\) [\#1217](uclouvain/openjpeg#1217) ([rouault](https://github.com/rouault))
		- Add check to validate SGcod/SPcoc/SPcod parameter values. [\#1211](uclouvain/openjpeg#1211) ([sebras](https://github.com/sebras))
		- Fix buffer overflow reading an image file less than four characters [\#1196](uclouvain/openjpeg#1196) ([robert-ancell](https://github.com/robert-ancell))
		- compression: emit POC marker when only one single POC is requested \(f… [\#1192](uclouvain/openjpeg#1192) ([rouault](https://github.com/rouault))
		- Fix several potential vulnerabilities  [\#1185](uclouvain/openjpeg#1185) ([Young-X](https://github.com/Young-X))
		- openjp2/j2k: Report error if all wanted components are not decoded. [\#1164](uclouvain/openjpeg#1164) ([sebras](https://github.com/sebras))

Signed-off-by: Adolf Belka <[email protected]>
Reviewed-by: Peter Müller <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebastianpoeplau @kloczek