Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2016-9112 FPE(Floating Point Exception) in lib/openjp2/pi.c:523 #855

Closed
YangY-Xiao opened this issue Oct 27, 2016 · 3 comments
Closed

CVE-2016-9112 FPE(Floating Point Exception) in lib/openjp2/pi.c:523 #855

YangY-Xiao opened this issue Oct 27, 2016 · 3 comments
Labels
bug

Comments

@YangY-Xiao
Copy link

YangY-Xiao commented Oct 27, 2016
edited
Loading

Vulnerability
openjpeg FPE in pi.c:523

Version
openjpeg-2.1.2

Address Sanitizer Output
==11185==ERROR: AddressSanitizer: FPE on unknown address 0xb769d99f (pc 0xb769d99f bp 0xbfcb50c8 sp 0xbfcb5050 T0)
#0 0xb769d99e (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x7599e)
#1 0xb76ab215 (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x83215)
#2 0xb76bbd71 (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x93d71)
#3 0xb76bbb63 (/home//openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x93b63)
#4 0xb764e2bf (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x262bf)
#5 0xb766a2d6 (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x422d6)
#6 0xb764853a (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x2053a)
#7 0xb765496d (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x2c96d)
#8 0xb768ab5a (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x62b5a)
#9 0x81368f7 (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x81368f7)
#10 0xb73d8636 (/lib/i386-linux-gnu/libc.so.6+0x18636)
#11 0x805f327 (/home/y/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x805f327)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/libopenjp2.so.7+0x7599e)

GDB information
Program received signal SIGFPE, Arithmetic exception.
0xb7fb62ed in opj_pi_next_cprl (pi=0x807dfb8) at /home/yang/openjpeg/openjpeg-2.1.2/src/lib/openjp2/pi.c:523
523 if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
(gdb) p comp->dy
$1 = 8
(gdb) p rpy
$2 = 31
(gdb) p comp->dy << rpy
$3 = 0

Analysis
In pi.c (OPJ_INT32)(comp->dy << rpy) = 0, and program does not check the value of (OPJ_INT32)(comp->dy << rpy).

Poc
Contact me if you need Poc file at [email protected]
@YangY-Xiao
Copy link
Author

The same bug can occur in openjp2\pi.c(line 363, line 366, line 444, line 447, line 526); openjp3d\pi.c(line 218, line 221, line 224, line 312, line 315, line 318, line 403, line 406, line 409); openmj2\pi.c(line 218, line 221, line 299, line 302, line 378, line 381).

@1ucian0
Copy link

1ucian0 commented Dec 3, 2016

Please, refer to this issue as CVE-2016-9112

@YangY-Xiao YangY-Xiao changed the title FPE(Floating Point Exception) in lib/openjp2/pi.c:523 CVE-2016-9112 FPE(Floating Point Exception) in lib/openjp2/pi.c:523 Apr 24, 2017
@pengjiaqi pengjiaqi mentioned this issue May 21, 2017
Closed
@rwhitworth rwhitworth mentioned this issue May 24, 2017
Closed
@dlemstra dlemstra mentioned this issue May 24, 2017
Closed
@rouault
Copy link
Collaborator

rouault commented Jul 29, 2017

Likely fixed per d27ccf0 and later commits in pi.c

@rouault rouault closed this as completed Jul 29, 2017
@detonin detonin added the bug label Aug 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@detonin @1ucian0 @rouault @YangY-Xiao