New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
null ptr dereference in convert.c:1331 #843
Comments
|
@STARLABSEC , winfried |
|
did you yourself change the PPM file? Or did OpenJPEG-2.0.0 create that file? After changing 'convert.c' I got the message: bin/opj_compress -i openjpeg-nullptr-github-issue-842.ppm -o out.j2k convert.c:1586:OK(0) width(255) height(0) depth(0) The respective patch should be applied. winfried |
|
@szukw000 |
|
@stweil , the patch is applied. I failed to create a github patch. winfried |
Malformed PNM file could cause a crash in opj_compress. Checks were added to prevent this. Fixes uclouvain#843 Updates uclouvain#440
|
@STARLABSEC Thanks fix committed. |
|
CVE-2016-7445 was assigned for this issue in https://www.openwall.com/lists/oss-security/2016/09/18/6 |
Vulnerability
openjpeg null ptr dereference in convert.c:1331
Version
git head version ( https://github.com/uclouvain/openjpeg/ )
Address Sanitizer Output
ASAN:SIGSEGV
==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0815d204 bp 0xff846938 sp 0xff846380 T0)
#0 0x815d203 in skip_white /home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
#1 0x8135d81 in main /home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
#2 0xf7343636 in __libc_start_main ??:?
#3 0x807a31b in _start ??:?
PoC
See poc.ppm
Analysis
In convert.c:1483 and convert.c:1485, variable s is uncheck after skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr dereference.
Report Timeline
2016-09-16: FB3F15 of STARLAB discovered this issue
Credit
FB3F15 of STARLAB
PoC
Contact us if you need PoC file
The text was updated successfully, but these errors were encountered: