Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap use-after-free #1261

Closed
Ruia-ruia opened this issue Jun 28, 2020 · 6 comments
Closed

Heap use-after-free #1261

Ruia-ruia opened this issue Jun 28, 2020 · 6 comments

Comments

@Ruia-ruia
Copy link

@Ruia-ruia Ruia-ruia commented Jun 28, 2020

There is a heap use-after-free vulnerability in openjpeg/build/bin/libopenjp2.so.7.
I would also like to request a CVE if that's okay or I can do it myself if you're busy, no worries.

Here is the ASAN output:
out.txt

Here is the command executed to reproduce the issue:
./opj_decompress -ImgDir Inputs/ -OutFor PGM

If you would also like the files I have in the Inputs/, let me know and I can find a way to provide them.

@rouault
Copy link
Collaborator

@rouault rouault commented Jun 28, 2020

There is a heap use-after-free vulnerability in openjpeg/build/bin/libopenjp2.so.7.

Can you reproduce it with latest master ?

I would also like to request a CVE if that's okay

yes, if you need one, please file the request

If you would also like the files I have in the Inputs/

yes, that would be needed to investigate the issue

@Ruia-ruia
Copy link
Author

@Ruia-ruia Ruia-ruia commented Jun 28, 2020

What is your preferred way of receiving the necessary input files?

@rouault
Copy link
Collaborator

@rouault rouault commented Jun 28, 2020

What is your preferred way of receiving the necessary input files?

I don't care. Ideally if they are small, attached to this ticket. Otherwise if too large, a URL to a Dropbox or something equivalent

@Ruia-ruia
Copy link
Author

@Ruia-ruia Ruia-ruia commented Jun 28, 2020

By the way, after reviewing the source code I believe (though may be wrong) the issue emerges on the fulfillment of these conditions:

  1. There are more than one files in the directory.
  2. One of the files does not have a good header.
  3. One of the files does have a good header.

This means that opj_image_destroy is called twice on the same image. The use-after-free is more specifically a read-after-free and occurs when opj_image_destroy tries to read from the image after it has been freed: if (image->comps)

On the first iteration of:

1395:  
for (imageno = 0; imageno < num_images ; imageno++) 

The image is destroyed as per:

1773: 
/* free image data structure */
opj_image_destroy(image);

Then because there is a file in the Input/ directory, whose header cannot be read, a second call to opj_image_destroy occurs on the second iteration of the for loop at image.c:1395

1480: 
if (! opj_read_header(l_stream, l_codec, &image)) {
            fprintf(stderr, "ERROR -> opj_decompress: failed to read the header\n");
            opj_stream_destroy(l_stream);
            opj_destroy_codec(l_codec);
            opj_image_destroy(image);
            failed = 1;
            goto fin;
        }

Note that there is a second iteration because that's how many files there are in the Input/ directory.

@Ruia-ruia
Copy link
Author

@Ruia-ruia Ruia-ruia commented Jun 28, 2020

https://www.dropbox.com/sh/yjvwmxo99d98yry/AADfYGBHaRb08mRQYPfd2oJna?dl=0

Here is a link to download the two files which need to be in Input/

rouault added a commit to rouault/openjpeg that referenced this issue Jun 28, 2020
…and invalid images

Fixes uclouvain#1261

Credits to @Ruia-ruia for reporting and analysis.
@carnil
Copy link

@carnil carnil commented Jun 30, 2020

This apparently was assigned CVE-2020-15389.

rouault added a commit to rouault/openjpeg that referenced this issue Jun 30, 2020
…and invalid images (CVE-2020-15389)

Fixes uclouvain#1261

Credits to @Ruia-ruia for reporting and analysis.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.