-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Denial of service (crash) due to use-after-free when decoding an illegal JPEG2000 image file v2.1.2 (2017-04 #880
Comments
both #879 and #880 have been refused in opj_j2k_read_siz() : bin/opj_decompress -o out.png -i /tmp/ISSUE879-poc1.j2k [INFO] Start to read j2k main header (0). bin/opj_decompress -o out.png -i /tmp/ISSUE880-poc2.j2k [INFO] Start to read j2k main header (0). winfried |
Re: OpenJPEG: I cloned the github code again (branch master), re-compiled, tried my examples (which I downloaded from the github issues) and they crash. Here's the environment I'm using to compile: Ubuntu 14.04 Just to be sure that nothing is wrong with the POC files themselves, here are their SHA1 digests: $ sha1sum poc*.j2k |
We also found a use-after-free problem. We have a patch in our openjpeg copy that fixes it on our side: |
[I'm part of the team that found the original issue (#879 and #880).] @npm1: I cannot see the review in pdfium-reviews ("The page you requested was not found, or you do not have permission to view this page") but I can see the code in the pdfium git repo (commit 44bc1f818dd791c2a5a81103be3853093fd934b3 ). I think these are two separate issues. Whenever the @szukw000: Please let us know if we're missing something or testing the wrong version. I'm not sure why it crashes for me on every attempt and is refused in |
the library for the patch was from ' Jan 11 07:15 openjpeg'. winfried |
Was fixed per c5bf5ef |
Summary of the issue:
The opj_dump and opj_decompress utilities crash (segmentation fault) when parsing an illegal JPEG2000 image file due to reading from memory which was already freed. Any program which uses the OpenJPEG library might also crash when parsing such specially-crafted inputs (since the crash is caused by the content of the freed memory, it is hard to tell exactly whether it will crash or not).
Explanation:
The attached poc2.zip (password: infected) contains the specially crafted image file poc2.j2k which causes this issue.
The problem stems from a realloc call (in j2k.c:5243) that frees the memory of m_mct_records and then allocates them in another place in the heap. However, m_mcc_records may contain pointers to m_mct_records (in the m_decorrelation_array and m_offset_array fields), and those pointers are not updated and remain pointing to the freed memory area.
Example output:
$ ./opj_dump -i poc2.j2k
poc2.zip
vulnerability-disclosure-2-openjpeg.docx
The text was updated successfully, but these errors were encountered: