Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upUse-after-free in opj_j2k_write_mco #563
Comments
mayeut
closed this
in
940100c
Sep 6, 2015
mayeut
added this to the OPJ v2.1.1 milestone
Sep 6, 2015
mayeut
added
the
bug
label
Sep 6, 2015
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
dag-erling
Sep 20, 2015
Still no release for this fairly important issue? I would suggest bumping outstanding 2.1.1 issues to 2.1.2 and releasing 2.1.1 now. Also, if you don't have a CVE yet—I haven't seen a reply to Josselin Feist's request on oss-sec mailing list—you should contact either Kurt Seifried (kseifried@redhat.com) or MITRE (cve-assign@mitre.org) directly to ask for one.
dag-erling
commented
Sep 20, 2015
|
Still no release for this fairly important issue? I would suggest bumping outstanding 2.1.1 issues to 2.1.2 and releasing 2.1.1 now. Also, if you don't have a CVE yet—I haven't seen a reply to Josselin Feist's request on oss-sec mailing list—you should contact either Kurt Seifried (kseifried@redhat.com) or MITRE (cve-assign@mitre.org) directly to ask for one. |
montyly commentedAug 14, 2015
Hi,
I have found a potential use-after-free in opj_j2k_write_mco function, of the j2k.c file.
At line 5562, l_current_data is set to p_j2k->m_specific_param.m_encoder.m_header_tile_data.
But at line 5567, p_j2k->m_specific_param.m_encoder.m_header_tile_data is used as arg of realloc, and so can be freed.
But l_current_data is used later (line 5597, 5582 ...), and so can point to a freed memory zone
A simple fixed, should be to affect l_current_data to p_j2k->m_specific_param.m_encoder.m_header_tile_data after the line 5577
The vulnerability was found by my static binary analyzer gueb (that will become open-source soon)
Regards,
Feist Josselin