openjpeg icon indicating copy to clipboard operation
openjpeg copied to clipboard

Published 20 hours ago verified publisher icon uclouvain

NULL point dereference in function imagetobmp of convertbmp.c

Open YangY-Xiao opened this issue 8 years ago • 7 comments

DESCRIPTION OPENJPEG null ptr dereference in convertbmp.c:980

VERSION OPENJPEG-2.1.2

Address Sanitizer Output ==12736==ERROR: AddressSanitizer: SEGV on unknown address 0x00000f50 (pc 0x08150cc0 bp 0xbfad5d28 sp 0xbfad5cc0 T0) #0 0x8150cbf (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x8150cbf) #1 0x81371b8 (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x81371b8) #2 0xb74a1636 (/lib/i386-linux-gnu/libc.so.6+0x18636) #3 0x805f327 (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x805f327)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x8150cbf)

GDB Information Program received signal SIGSEGV, Segmentation fault. 0x08055b57 in imagetobmp (image=0x93b15c0, outfile=0xbfa3efd4 "image.bmp") at /home/yang/openjpeg/openjpeg-2.1.2/src/bin/jp2/convertbmp.c:980 980 r = image->comps[0].data[w * h - ((i) / (w) + 1) * w + (i) % (w)]; (rr) p image->comps[0].data $1 = (OPJ_INT32 *) 0x0

Analysis step1: p_image_dest->comps[compno].data = NULL (image.c:185) step2: opj_j2k_exec (p_j2k,p_j2k->m_procedure_list,p_stream,p_manager) (j2k.c:9969) -> opj_j2k_decode_tiles(j2k.c:9723) -> opj_j2k_read_tile_header(j2k.c:7845)
p_j2k->m_specific_param.m_decoder.m_can_decode = 0 => p_go_on = 0 => l_go_on = 0(j2k.c:9756) p_image_dest->comps[0].data was not assigned a value. step3: convertbmp.c:980 the program accesses image->comps[0].data However data is still NULL

Poc Contact me if you need Poc file at [email protected]

YangY-Xiao avatar Oct 29 '16 03:10 YangY-Xiao

Please, refer to this issue as CVE-2016-9113

1ucian0 avatar Dec 03 '16 04:12 1ucian0

@Young-X Please verify if that occurs still with latest master. If so, please attach the reproducer to the ticket

rouault avatar Aug 09 '17 08:08 rouault

@Young-X can you please provide the reproducer?

carnil avatar Sep 23 '17 07:09 carnil

@Young-X are you still reading your github updates ?

malaterre avatar Sep 28 '17 18:09 malaterre

@Young-X ping?

carnil avatar Oct 03 '17 19:10 carnil

Sorry for replying late. I test the poc with the latest version. There is no crash.

YangY-Xiao avatar Oct 24 '17 01:10 YangY-Xiao

Hi

On Tue, Oct 24, 2017 at 01:24:50AM +0000, Young-X wrote:

Sorry for replying late. I test the poc with the latest version. There is no crash.

Thanks for confirming!

Can you still provide the reproducer to this issue so that fixing commit can be isolated and fix for downstreams can be verified?

Regards, Salvatore

carnil avatar Oct 29 '17 09:10 carnil