Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2016-10505] Null Pointer Access in function imagetopnm of convert.c #776

Closed
trylab opened this issue May 6, 2016 · 2 comments
Closed

[CVE-2016-10505] Null Pointer Access in function imagetopnm of convert.c #776

trylab opened this issue May 6, 2016 · 2 comments
Labels
bug Priority-Critical
Milestone
OPJ v2.1.3

Comments

@trylab
Copy link
Contributor

trylab commented May 6, 2016

Title

OpenJPEG Null Pointer Access in function imagetopnm of convert.c

Testing Environment

Ubuntu + OpenJPEG (GitHub master, 2016/05/06)

Exception Information

==22059== ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 
    (pc 0x0805f813 sp 0xbfd3b8a0 bp 0xbfd3b958 T0)
AddressSanitizer can not provide additional info.
    #0 0x805f812 in imagetopnm /home/trylab/Desktop/repo/openjpeg/src/bin/jp2/convert.c:1974
    #1 0x805279a in main /home/trylab/Desktop/repo/openjpeg/src/bin/jp2/opj_decompress.c:1467
    #2 0xb5e96a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #3 0x804a150 in _start (/home/trylab/Desktop/repo/openjpeg/bin/opj_decompress+0x804a150)
SUMMARY: AddressSanitizer: SEGV /home/trylab/Desktop/repo/openjpeg/src/bin/jp2/convert.c:1974 imagetopnm
==22059== ABORTING

PoC

https://raw.githubusercontent.com/trylab/PoCs/master/openjpeg/SIGSEGV_Null-Pointer-Access_imagetopnm/poc.j2k

Credit

Ke Liu of Tencent's Xuanwu LAB
@szukw000
Copy link
Contributor

szukw000 commented May 9, 2016

bin/opj_decompress -i /tmp/ISSUE-776/issue776-poc.j2k -o issue776-poc.j2k.png

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
Segmentation fault

NAME(/tmp/ISSUE-776/issue776-poc.j2k)
LENG(174)

[51]marker(0xff52)

read_cod

         max_len 18
      prog_order 0
       nr_layers 16384

[92]marker(0xff64)
com len(66)
R[1](General use (ISO 8859-1 (latin-1) values))
T(Created by OPJViewer Win32 - OpenJPEG version 1.2.0 with JPWL)
[160]marker(0xff90)

read_sot Psot > 0

tile_nr(0) Psot(1146447479) TPsot(119) TNsot(255)

----------------------

Tested with openjpeg-master-2016-05-09.

winfried

@mayeut mayeut mentioned this issue Jul 14, 2016
Closed
@malaterre malaterre added this to the OPJ v2.1.2 milestone Sep 20, 2016
@detonin detonin modified the milestones: OPJ v2.1.2, OPJ v2.1.3 Sep 29, 2016
@rouault
Copy link
Collaborator

rouault commented Aug 9, 2017

No longer reproducible with master

``
$ bin/opj_decompress -i ../poc_776.j2k -o out.j2k.pgx

[INFO] Start to read j2k main header (0).
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
[ERROR] Invalid tile part index for tile number 0. Got 119, expected 0
[ERROR] Fail to read the current marker segment (0xff90)
ERROR -> opj_decompress: failed to decode image!

@rouault rouault closed this as completed Aug 9, 2017
@trylab trylab changed the title Null Pointer Access in function imagetopnm of convert.c [CVE-2016-10505] Null Pointer Access in function imagetopnm of convert.c Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Priority-Critical
Projects
None yet
Milestone
OPJ v2.1.3
Development

No branches or pull requests
6 participants
@malaterre @detonin @rouault @szukw000 @mayeut @trylab