Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out-of-bound left shift in opj_j2k_setup_encoder (src/lib/openjp2/j2k.c) #1057

Closed
ProbeFuzzer opened this issue Jan 19, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@ProbeFuzzer
Copy link

commented Jan 19, 2018

(This problem is discovered with UBSAN enabled)
On latest version (2.3) and master branch of openjpeg:
there is an integer overflow caused by out-of-bound left shift in opj_j2k_setup_encoder function (src/lib/openjp2/j2k.c), which could cause denial of service via a crafted bmp file.

src/lib/openjp2/j2k.c:7304:48: runtime error: shift exponent 4294967295 is too large for 32-bit type 'int'

To reproduce this issue, run: bin/opj_compress -n 1 -i $POC -o OUTPUT

The POC could be downloaded at: https://github.com/ProbeFuzzer/poc/blob/master/openjpeg/openjpeg_2-3_opj_compress_integer-overflow_opj_j2k_setup_encoder.bmp

@carnil

This comment has been minimized.

Copy link

commented Jan 19, 2018

This was assigned CVE-2018-5785

@hlef

This comment has been minimized.

Copy link
Contributor

commented Sep 16, 2018

The underlying issue is actually in src/bin/jp2/convertbmp.c: BMP files declaring compression = 3 (BI_BITFIELDS) with header size <= 56 keep their color mask values to zero. This is not an issue for BMP files with bit count 16 because of a check added in 16240e2 which sets default values to the color masks if they are all 0. We should maybe have something like that for other bit counts as well. Also, there might be some similar issues in the case where header size >= 56 + some masks are intentionally set to zero.

I'll investigate further and PR a patch.

@hlef

This comment has been minimized.

Copy link
Contributor

commented Sep 22, 2018

Just submitted a PR addressing this issue.

@rouault rouault closed this in ca16fe5 Sep 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.