openjpeg icon indicating copy to clipboard operation
openjpeg copied to clipboard
verified publisher icon uclouvain

Malicious files can cause the program to enter a large loop

Open pic4xiu opened this issue 2 years ago • 11 comments

Maliciously constructed pictures can cause the program to enter a large loop and continuously print warning messages on the terminal.

Expected behavior and actual behavior.

Program file format error, parsing failed~

But the program enters a big loop and keeps printing in the terminal:

...
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
[WARNING] Not enough space for expected EPH marker
[WARNING] Not enough space for expected SOP marker
...

I tested it with ubuntu, and the program ran for more than 4 hours.

Steps to reproduce the problem.

the poc is here

Run: opj_decompress -i bigloop -o te.raw

Maybe the memory must be at least greater than 8g to ensure successful reproduction.

Operating system

Ubuntu, macos, windows are all available

openjpeg version

OpenJPEG 2.5.0

pic4xiu avatar Jul 16 '23 07:07 pic4xiu

CVE-2023-39327 was assigned to this flaw. If you wish to dispute or reject please let me know.

pedrohc avatar Jul 04 '24 15:07 pedrohc

could anyone confirm that this issue was fixed by pull#1547?

fundawang avatar Sep 18 '24 03:09 fundawang

@fundawang the POC is mentioned above. Just run it and report back.

jubalh avatar Sep 18 '24 05:09 jubalh

The pull request confirms that it's not fixed in its description. A slight modification of the PoC allows to trigger the behavior.

mayeut avatar Sep 18 '24 05:09 mayeut

Does anyone has a work around or a fix ready for this issues?

tariqmchoudhry avatar Oct 30 '24 19:10 tariqmchoudhry

Is there a fix for this issue yet or will there be one forthcoming anytime soon? Opening a CVE for an issue and letting it hang out for months/years is not really helpful for applications/companies that are using OpenJPEG and are required to react to those CVEs in a specific timeframe.

anthonymingo avatar Jan 28 '25 20:01 anthonymingo

Opening a CVE for an issue and letting it hang out for months/years is not really helpful for applications/companies that are using OpenJPEG and are required to react to those CVEs in a specific timeframe.

How many $$$$$$ do they offer to fix it ? As far as I'm concerned, I don't care at all about companies using OpenJPEG. That's their problem, not mine.

rouault avatar Jan 28 '25 20:01 rouault

The pull request confirms that it's not fixed in its description. A slight modification of the PoC allows to trigger the behavior.

@mayeut can you provide the file with that slight modification? also how did you know what to alter in the file?

sebras avatar Jan 28 '25 21:01 sebras

How is OpenJPEG being invoked with these POC images? I have attempted to embed POC image(s) in a PDF file and Adobe rejects it right away, no loops no issues.

tariqmchoudhry avatar May 21 '25 18:05 tariqmchoudhry

The pull request confirms that it's not fixed in its description. A slight modification of the PoC allows to trigger the behavior.

@mayeut can you provide the file with that slight modification? also how did you know what to alter in the file? Thanks!

fuowang avatar Oct 21 '25 02:10 fuowang

I did not keep the file. see https://github.com/uclouvain/openjpeg/pull/1547#issue-2471536611 for the modification required.

mayeut avatar Oct 21 '25 04:10 mayeut