Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow at lib/openjp2/j2k.c:8460:84 in opj_j2k_add_tlmarker in openjpeg/opj_decompress #1564

Closed
Frank-Z7 opened this issue Nov 25, 2024 · 0 comments · Fixed by #1565
Closed

heap-buffer-overflow at lib/openjp2/j2k.c:8460:84 in opj_j2k_add_tlmarker in openjpeg/opj_decompress #1564

Frank-Z7 opened this issue Nov 25, 2024 · 0 comments · Fixed by #1565
Assignees
@rouault

Comments

@Frank-Z7
Copy link

Description

Dear developers,

We found the following heap buffer overflow bug on openjpeg, please confirm.

This bug is triggered when we use opj_decompress with the -t option and its argument set to 1.

The latest version v2.5.2 also has this vulnerability.

Version

# ./bin/opj_decompress -h
This is the opj_decompress utility from the OpenJPEG project.
It decompresses JPEG 2000 codestreams to various image formats.
It has been compiled against openjp2 library v2.5.2.

Reproduction

git clone https://github.com/uclouvain/openjpeg.git
cd openjpeg
cmake . -DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_COMPILER=clang \
-DCMAKE_CXX_COMPILER=clang++ \
-DCMAKE_C_FLAGS="-fsanitize=address" \
-DCMAKE_CXX_FLAGS="-fsanitize=address"
make -j20

./bin/opj_decompress -i poc2openjpeg -o tmp.pnm -t 1

ASAN Log

./bin/opj_decompress -i poc2openjpeg -o tmp.pnm -t 1

=================================================================
==4004218==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000016a8 at pc 0x7f8a2d0491f6 bp 0x7fff212eadd0 sp 0x7fff212eadc8
WRITE of size 8 at 0x6030000016a8 thread T0
    #0 0x7f8a2d0491f5 in opj_j2k_add_tlmarker /openjpeg/src/lib/openjp2/j2k.c:8460:84
    #1 0x7f8a2d045813 in opj_j2k_read_tile_header /openjpeg/src/lib/openjp2/j2k.c:9862:30
    #2 0x7f8a2d08414b in opj_j2k_decode_one_tile /openjpeg/src/lib/openjp2/j2k.c:12229:15
    #3 0x7f8a2d042668 in opj_j2k_exec /openjpeg/src/lib/openjp2/j2k.c:9177:33
    #4 0x7f8a2d059aa2 in opj_j2k_get_tile /openjpeg/src/lib/openjp2/j2k.c:12524:11
    #5 0x7f8a2d0b5777 in opj_get_decoded_tile /openjpeg/src/lib/openjp2/openjpeg.c:628:16
    #6 0x55fcd4fbe682 in main /openjpeg/src/bin/jp2/opj_decompress.c:1601:18
    #7 0x7f8a2cc9bd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #8 0x7f8a2cc9be3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 490fef8403240c91833978d494d39e537409b92e)
    #9 0x55fcd4efa544 in _start (/openjpeg/bin/opj_decompress+0x27544) (BuildId: e80f8792cc97998ba478d7e96d59085d10b53f68)

Address 0x6030000016a8 is a wild pointer inside of access range of size 0x000000000008.
SUMMARY: AddressSanitizer: heap-buffer-overflow /openjpeg/src/lib/openjp2/j2k.c:8460:84 in opj_j2k_add_tlmarker
Shadow bytes around the buggy address:
  0x0c067fff8280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff82d0: fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff82f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4004218==ABORTING

PoC

poc2openjpeg: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/poc2openjpeg

Reference

https://github.com/uclouvain/openjpeg

Environment

ubuntu:22.04
gcc version 11.4.0 (Ubuntu 11.4.0-1ubuntu1~22.04)
clang version 14.0.0-1ubuntu1.1
afl-fuzz++4.22a

Thanks for your time!
rouault added a commit to rouault/openjpeg that referenced this issue Nov 25, 2024
@rouault
opj_j2k_add_tlmarker(): validate that current tile-part number if sma…
40d49d8 
…ller that total number of tile-parts

Fixes uclouvain#1564
rouault added a commit to rouault/openjpeg that referenced this issue Nov 25, 2024
@rouault
opj_j2k_add_tlmarker(): validate that current tile-part number if sma…
dcffb64 
…ller that total number of tile-parts

Fixes uclouvain#1564
@rouault rouault mentioned this issue Nov 25, 2024
Merged
@rouault rouault self-assigned this Nov 25, 2024
github-actions bot pushed a commit to Boeing/meta-openembedded-contrib that referenced this issue Jan 23, 2025
@akuster
openjpeg: fix CVE-2024-56827
291fc3e 
CVE-2024-56827:
A flaw was found in the OpenJPEG project. A heap buffer overflow
condition may be triggered when certain options are specified while
using the opj_decompress utility. This can lead to an application crash
or other undefined behavior.

Reference:
[https://nvd.nist.gov/vuln/detail/CVE-2024-56827]
[uclouvain/openjpeg#1564]

Upstream patches:
[uclouvain/openjpeg@e492644]

Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rouault rouault

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@rouault @Frank-Z7