Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

null ptr dereference in convert.c:1331 #843

Closed
STARLABSEC opened this issue Sep 16, 2016 · 6 comments

Comments

Projects
None yet
5 participants
@STARLABSEC
Copy link

commented Sep 16, 2016

Vulnerability

openjpeg null ptr dereference in convert.c:1331

Version

git head version ( https://github.com/uclouvain/openjpeg/ )

Address Sanitizer Output

ASAN:SIGSEGV

==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0815d204 bp 0xff846938 sp 0xff846380 T0)
#0 0x815d203 in skip_white /home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
#1 0x8135d81 in main /home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
#2 0xf7343636 in __libc_start_main ??:?
#3 0x807a31b in _start ??:?

PoC

See poc.ppm

Analysis

In convert.c:1483 and convert.c:1485, variable s is uncheck after skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr dereference.

Report Timeline

2016-09-16: FB3F15 of STARLAB discovered this issue

Credit

FB3F15 of STARLAB

PoC

Contact us if you need PoC file

@szukw000

This comment has been minimized.

Copy link
Contributor

commented Sep 17, 2016

@STARLABSEC ,
can you upload that file or give a link to that file?

winfried

@szukw000

This comment has been minimized.

Copy link
Contributor

commented Sep 18, 2016

@STARLABSEC,

did you yourself change the PPM file? Or did OpenJPEG-2.0.0 create that file?
The ppm.dif shows the bug.

After changing 'convert.c' I got the message:

bin/opj_compress -i openjpeg-nullptr-github-issue-842.ppm -o out.j2k

convert.c:1586:OK(0) width(255) height(0) depth(0)
Unable to load pnm file

The respective patch should be applied.

winfried

openjpeg-nullptr-github-issue-842.ppm-dif.txt

@STARLABSEC

This comment has been minimized.

Copy link
Author

commented Sep 18, 2016

@szukw000
We created it by ourselves.
The patch is ok, please apply it.

@szukw000

This comment has been minimized.

Copy link
Contributor

commented Sep 18, 2016

@stweil ,

the patch is applied. I failed to create a github patch.

winfried
fixpnmtoimage_dif.txt

@tenforward tenforward referenced this issue Sep 20, 2016

Closed

openjpeg #546

@malaterre malaterre added this to the OPJ v2.1.2 milestone Sep 20, 2016

mayeut added a commit to uclouvain/openjpeg-data that referenced this issue Sep 21, 2016

mayeut added a commit to mayeut/openjpeg that referenced this issue Sep 21, 2016

Fix PNM file reading
Malformed PNM file could cause a crash in opj_compress.
Checks were added to prevent this.

Fixes uclouvain#843
Updates uclouvain#440

@detonin detonin added the in progress label Sep 21, 2016

@mayeut mayeut closed this in #847 Sep 21, 2016

mayeut added a commit that referenced this issue Sep 21, 2016

Fix PNM file reading (#847)
Malformed PNM file could cause a crash in opj_compress.
Checks were added to prevent this.

Fixes #843
Updates #440

@detonin detonin removed the in progress label Sep 21, 2016

@mayeut

This comment has been minimized.

Copy link
Collaborator

commented Sep 21, 2016

@STARLABSEC Thanks fix committed.

malaterre added a commit that referenced this issue Sep 22, 2016

Fix PNM file reading (#847)
Malformed PNM file could cause a crash in opj_compress.
Checks were added to prevent this.

Fixes #843
Updates #440

@detonin detonin added the bug label Aug 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.