Denial of service (crash) due to use-after-free when decoding an illegal JPEG2000 image file v2.1.2 (2017-04

[PeteACoordinator]

Summary of the issue:
The opj_dump and opj_decompress utilities crash (segmentation fault) when parsing an illegal JPEG2000 image file due to reading from memory which was already freed. Any program which uses the OpenJPEG library might also crash when parsing such specially-crafted inputs (since the crash is caused by the content of the freed memory, it is hard to tell exactly whether it will crash or not).
Explanation:
The attached poc2.zip (password: infected) contains the specially crafted image file poc2.j2k which causes this issue.
The problem stems from a realloc call (in j2k.c:5243) that frees the memory of m_mct_records and then allocates them in another place in the heap. However, m_mcc_records may contain pointers to m_mct_records (in the m_decorrelation_array and m_offset_array fields), and those pointers are not updated and remain pointing to the freed memory area.
Example output:
$ ./opj_dump -i poc2.j2k
poc2.zip
vulnerability-disclosure-2-openjpeg.docx

[szukw000]

@PeteACoordinator ,

both #879 and #880 have been refused in opj_j2k_read_siz() :

bin/opj_decompress -o out.png -i /tmp/ISSUE879-poc1.j2k

[INFO] Start to read j2k main header (0).
[ERROR] Error with SIZ marker: IMAGE w(48) h(48) vs. TILE w(805306416) h(808464432)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

bin/opj_decompress -o out.png -i /tmp/ISSUE880-poc2.j2k

[INFO] Start to read j2k main header (0).
[ERROR] Error with SIZ marker: IMAGE w(23145) h(2793) vs. TILE w(16712333) h(369099232)
[ERROR] Marker handler function failed to read the marker segment
ERROR -> opj_decompress: failed to read the header

winfried

[PeteACoordinator]

Re: OpenJPEG:

I cloned the github code again (branch master), re-compiled, tried my examples (which I downloaded from the github issues) and they crash. Here's the environment I'm using to compile:

Ubuntu 14.04
gcc 4.8.4
Generating Makefiles with: cmake -DBUILD_SHARED_LIBS:bool=off ..

Just to be sure that nothing is wrong with the POC files themselves, here are their SHA1 digests:

$ sha1sum poc*.j2k
1c47f17445e37e8eab55dae2befe2c3d87a499e9 poc1.j2k
0814d3d81f32f675d716d34cf9c308a7dd134545 poc2.j2k

[npm1]

We also found a use-after-free problem. We have a patch in our openjpeg copy that fixes it on our side:
https://pdfium-review.googlesource.com/c/2165/

[dubek]

[I'm part of the team that found the original issue (#879 and #880).]

@npm1: I cannot see the review in pdfium-reviews ("The page you requested was not found, or you do not have permission to view this page") but I can see the code in the pdfium git repo (commit 44bc1f818dd791c2a5a81103be3853093fd934b3 ). I think these are two separate issues. Whenever the m_mct_records array is reallocated, pointers to it from m_mcc_records should be updated to point to the new location it moved to. These pointers are currently not updated and access to them is a use-after-free violation (actually "use-after-realloc"). See the patch inside the docx file attached to the original post here.

@szukw000: Please let us know if we're missing something or testing the wrong version. I'm not sure why it crashes for me on every attempt and is refused in opj_j2k_read_siz() in your attempts. Which version/commit are you you testing the POCs from #879 and #880 against?

[szukw000]

@dubek,

I made several AFL runs: opj_decompress with different images, with '-t' and '-d' parameters.
The result can be seen in:

#882: Protection of AFL havocs in issues 811,862,863,871,872,879,880

winfried

[szukw000]

@dubek,

the library for the patch was from ' Jan 11 07:15 openjpeg'.

winfried

[rouault]

Was fixed per c5bf5ef