I have found a potential use-after-free in opj_j2k_write_mco function, of the j2k.c file.
At line 5562, l_current_data is set to p_j2k->m_specific_param.m_encoder.m_header_tile_data.
But at line 5567, p_j2k->m_specific_param.m_encoder.m_header_tile_data is used as arg of realloc, and so can be freed.
But l_current_data is used later (line 5597, 5582 ...), and so can point to a freed memory zone
A simple fixed, should be to affect l_current_data to p_j2k->m_specific_param.m_encoder.m_header_tile_data after the line 5577
The vulnerability was found by my static binary analyzer gueb (that will become open-source soon)
Regards,
Feist Josselin
The text was updated successfully, but these errors were encountered:
Still no release for this fairly important issue? I would suggest bumping outstanding 2.1.1 issues to 2.1.2 and releasing 2.1.1 now. Also, if you don't have a CVE yet—I haven't seen a reply to Josselin Feist's request on oss-sec mailing list—you should contact either Kurt Seifried (kseifried@redhat.com) or MITRE (cve-assign@mitre.org) directly to ask for one.
Hi,
I have found a potential use-after-free in opj_j2k_write_mco function, of the j2k.c file.
At line 5562, l_current_data is set to p_j2k->m_specific_param.m_encoder.m_header_tile_data.
But at line 5567, p_j2k->m_specific_param.m_encoder.m_header_tile_data is used as arg of realloc, and so can be freed.
But l_current_data is used later (line 5597, 5582 ...), and so can point to a freed memory zone
A simple fixed, should be to affect l_current_data to p_j2k->m_specific_param.m_encoder.m_header_tile_data after the line 5577
The vulnerability was found by my static binary analyzer gueb (that will become open-source soon)
Regards,
Feist Josselin
The text was updated successfully, but these errors were encountered: