Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

null ptr dereference in convert.c:1331 #843

Closed
STARLABSEC opened this issue Sep 16, 2016 · 7 comments
Closed

null ptr dereference in convert.c:1331 #843

STARLABSEC opened this issue Sep 16, 2016 · 7 comments
Assignees
@mayeut
Labels
bug
Milestone
OPJ v2.1.2

Comments

@STARLABSEC
Copy link

Vulnerability

openjpeg null ptr dereference in convert.c:1331

Version

git head version ( https://github.com/uclouvain/openjpeg/ )

Address Sanitizer Output

ASAN:SIGSEGV

==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0815d204 bp 0xff846938 sp 0xff846380 T0)
#0 0x815d203 in skip_white /home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
#1 0x8135d81 in main /home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
#2 0xf7343636 in __libc_start_main ??:?
#3 0x807a31b in _start ??:?

PoC

See poc.ppm

Analysis

In convert.c:1483 and convert.c:1485, variable s is uncheck after skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr dereference.

Report Timeline

2016-09-16: FB3F15 of STARLAB discovered this issue

Credit

FB3F15 of STARLAB

PoC

Contact us if you need PoC file
@szukw000
Copy link
Contributor

@STARLABSEC ,
can you upload that file or give a link to that file?

winfried

@STARLABSEC
Copy link
Author

@szukw000
https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm

@szukw000
Copy link
Contributor

@STARLABSEC,

did you yourself change the PPM file? Or did OpenJPEG-2.0.0 create that file?
The ppm.dif shows the bug.

After changing 'convert.c' I got the message:

bin/opj_compress -i openjpeg-nullptr-github-issue-842.ppm -o out.j2k

convert.c:1586:OK(0) width(255) height(0) depth(0)
Unable to load pnm file

The respective patch should be applied.

winfried

openjpeg-nullptr-github-issue-842.ppm-dif.txt

@STARLABSEC
Copy link
Author

@szukw000
We created it by ourselves.
The patch is ok, please apply it.

@szukw000
Copy link
Contributor

@stweil ,

the patch is applied. I failed to create a github patch.

winfried
fixpnmtoimage_dif.txt

@tenforward tenforward mentioned this issue Sep 20, 2016
Closed
@malaterre malaterre added this to the OPJ v2.1.2 milestone Sep 20, 2016
mayeut added a commit to uclouvain/openjpeg-data that referenced this issue Sep 21, 2016
@mayeut
Add test file for issue 843
cc09dc4 
See uclouvain/openjpeg#843
mayeut added a commit to mayeut/openjpeg that referenced this issue Sep 21, 2016
@mayeut
Fix PNM file reading
7c86204 
Malformed PNM file could cause a crash in opj_compress.
Checks were added to prevent this.

Fixes uclouvain#843
Updates uclouvain#440
@mayeut mayeut mentioned this issue Sep 21, 2016
Merged
mayeut added a commit that referenced this issue Sep 21, 2016
@mayeut
Fix PNM file reading (#847)
fac916f 
Malformed PNM file could cause a crash in opj_compress.
Checks were added to prevent this.

Fixes #843
Updates #440
@mayeut
Copy link
Collaborator

mayeut commented Sep 21, 2016

@STARLABSEC Thanks fix committed.

malaterre pushed a commit that referenced this issue Sep 22, 2016
@mayeut @malaterre
Fix PNM file reading (#847)
f053508 
Malformed PNM file could cause a crash in opj_compress.
Checks were added to prevent this.

Fixes #843
Updates #440
@detonin detonin added the bug label Aug 3, 2017
@fgeek
Copy link

fgeek commented Oct 3, 2020

CVE-2016-7445 was assigned for this issue in https://www.openwall.com/lists/oss-security/2016/09/18/6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mayeut mayeut

Labels
bug
Projects
None yet
Milestone
OPJ v2.1.2
Development

No branches or pull requests
6 participants
@malaterre @fgeek @detonin @szukw000 @mayeut @STARLABSEC