OpenJPEG Heap Buffer Overflow in function color_cmyk_to_rgb of color.c
Testing Environment
Ubuntu + OpenJPEG (GitHub master, 2016/05/06)
Exception Information
==13576== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4800a74 at pc 0x8071ec0 bp 0xbfaffb18 sp 0xbfaffb0c
READ of size 4 at 0xb4800a74 thread T0
#0 0x8071ebf in color_cmyk_to_rgb /home/trylab/Desktop/repo/openjpeg/src/bin/common/color.c:872
#1 0x805205f in main /home/trylab/Desktop/repo/openjpeg/src/bin/jp2/opj_decompress.c:1378
#2 0xb5f16a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#3 0x804a150 in _start (/home/trylab/Desktop/repo/openjpeg/bin/opj_decompress+0x804a150)
0xb4800a74 is located 0 bytes to the right of 4-byte region [0xb4800a70,0xb4800a74)
allocated by thread T0 here:
#0 0xb61fb905 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16905)
#1 0xb61bf62d in opj_calloc /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/opj_malloc.c:203
#2 0xb615cefb in opj_j2k_update_image_data /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/j2k.c:8221
#3 0xb6169838 in opj_j2k_decode_tiles /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/j2k.c:9764
#4 0xb6156a44 in opj_j2k_exec /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/j2k.c:7350
#5 0xb616a83c in opj_j2k_decode /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/j2k.c:9955
#6 0xb617749c in opj_jp2_decode /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/jp2.c:1492
#7 0xb6185367 in opj_decode /home/trylab/Desktop/repo/openjpeg/src/lib/openjp2/openjpeg.c:412
#8 0x8051af8 in main /home/trylab/Desktop/repo/openjpeg/src/bin/jp2/opj_decompress.c:1332
#9 0xb5f16a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/trylab/Desktop/repo/openjpeg/src/bin/common/color.c:872 color_cmyk_to_rgb
Shadow bytes around the buggy address:
0x369000f0: fa fa 00 04 fa fa 00 04 fa fa 00 04 fa fa 00 04
0x36900100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36900110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36900120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36900130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36900140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
0x36900150: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
0x36900160: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x36900170: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x36900180: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x36900190: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==13576== ABORTING
trylab
changed the title
Heap Buffer Overflow in function color_cmyk_to_rgb of color.c
CVE-2016-4796 Heap Buffer Overflow in function color_cmyk_to_rgb of color.c
Sep 13, 2016
Title
OpenJPEG Heap Buffer Overflow in function color_cmyk_to_rgb of color.c
Testing Environment
Ubuntu + OpenJPEG (GitHub master, 2016/05/06)
Exception Information
PoC
https://raw.githubusercontent.com/trylab/PoCs/master/openjpeg/Heap-Buffer-Overflow_color_cmyk_to_rgb/poc.j2k
Credit
Ke Liu of Tencent's Xuanwu LAB
The text was updated successfully, but these errors were encountered: