Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPENJPEG null ptr dereference in openjpeg-2.3.0/src/bin/jp2/convert.c:2243 #1152

Closed
yngweijs opened this issue Oct 9, 2018 · 6 comments

Comments

Projects
None yet
4 participants
@yngweijs
Copy link

commented Oct 9, 2018

DESCRIPTION

OPENJPEG null ptr dereference in openjpeg-2.3.0/src/bin/jp2/convert.c:2243

VERSION
OPENJPEG-2.3.0

GDB Output

#0 0x0000555555560a5d in imagetopnm (image=0x555555a22660, outfile=0x7fffffffbcac "out.ppm", force_split=0) at /home/pwnjs/Desktop/openjpeg/openjpeg-2.3.0/src/bin/jp2/convert.c:2243
#1 0x000055555555a0e1 in main (argc=5, argv=0x7fffffffddf8) at /home/pwnjs/Desktop/openjpeg/openjpeg-2.3.0/src/bin/jp2/opj_decompress.c:1692
#2 0x00007ffff71e7b97 in __libc_start_main (main=0x5555555592ed

, argc=5, argv=0x7fffffffddf8, init=, fini=, rtld_fini=, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:310
#3 0x00005555555567aa in _start ()

GDB Information

pwndbg> print red
$1 = (int *) 0x0
pwndbg> print image->comps[compno].data
$2 = (OPJ_INT32 *) 0x0
pwndbg> c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0000555555560a5d in imagetopnm (image=0x555555a22660, outfile=0x7fffffffbcac "out.ppm", force_split=0) at /home/pwnjs/Desktop/openjpeg/openjpeg-2.3.0/src/bin/jp2/convert.c:2243
2243 v = *red + adjustR;

Analysis

image->comps[compno].data = NULL and it was assigned to red, so the program accesses to red, segment fault occurs.

poc

Contact me if you need Poc file at yngweijs@gmail.com or mayfeelyang@gmail.com

@yngweijs

This comment has been minimized.

Copy link
Author

commented Oct 9, 2018

@szukw000

This comment has been minimized.

Copy link
Contributor

commented Oct 9, 2018

@rouault ,
2018-10-09, openjpeg: Latest commit 0e6a555 17 days ago

I have made one change in opj_decompress.c and one in convert.c .

bin/opj_decompress -i 291554_FlipDeter -o 291554_FlipDeter.ppm

  1. Result of change in opj_decompress.c :
===============================================
The extension of this file is incorrect.
    FOUND ''. SHOULD BE '.j2k or .jpc or .j2c'
===============================================
  1. Result of change in convert.c:
imagetopnm data[1] == NULL
[ERROR] Outfile 291554_FlipDeter.ppm not generated

are_comps_similar() can not be used.

FlipDeter.dif.zip

If you agree, I'll create a PR.
winfried

@hlef

This comment has been minimized.

Copy link
Contributor

commented Nov 5, 2018

This issue was assigned CVE-2018-18088.

FTR, how to reproduce: rename the poc "poc.jp2". Then, $ opj_decompress -i poc.jp2 -o /tmp/null.ppm

Analysis:

Image components might have NULL data pointer by defining a zero component size (in this case, zero component size is achieved by defining large horizontal sampling period dx = 254).

It looks very much like this NULL data pointer is a legit state, not handled at multiple places in the source code (not only in jp2!).

I'll submit a PR addressing these issues.

hlef added a commit to hlef/openjpeg that referenced this issue Nov 7, 2018

jp2: convert: fix null pointer dereference
Tile components in a JP2 image might have null data pointer by defining a
zero component size (for example using large horizontal or vertical
sampling periods). This null data pointer leads to null image component
data pointer, causing crash when dereferenced without != null check in
imagetopnm.

Add != null check.

This commit addresses uclouvain#1152 (CVE-2018-18088).
@hlef

This comment has been minimized.

Copy link
Contributor

commented Nov 15, 2018

I have PRed a patch adressing this issue, see #1160.

@hlef

This comment has been minimized.

Copy link
Contributor

commented Dec 10, 2018

@rouault this issue can be closed by the way, GitHub didn't recognize the "addresses"

@rouault

This comment has been minimized.

Copy link
Collaborator

commented Dec 10, 2018

ok, you need to add "fixes #XXXX" in the commit message so that github automatically closes an issue when a commit is merged

@rouault rouault closed this Dec 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.