Bug 1082925
| Summary: | openjpeg: Heap-based buffer overflow in JPEG2000 image tile decoder | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | jkurik, pfrields, phracek, rdieter, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-04-02 08:58:06 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1037945, 1038411, 1082995, 1082996, 1082997, 1082998 | ||||||
| Bug Blocks: | 1082926 | ||||||
| Attachments: |
|
||||||
|
Description
Huzaifa S. Sidhpurwala
2014-04-01 06:20:47 UTC
When decoding the specially-crafted image, tcd_decode_tile() fails at:
1400 if (tilec->data == NULL)
1401 {
1402 opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
1403 return OPJ_FALSE;
1404 }
It returns OPJ_FALSE, which is recorded into j2k->state in j2k_read_eoc() at:
1670 success = tcd_decode_tile(tcd, j2k->tile_data[tileno], j2k->tile_len[tileno], tileno, j2k->cstr_info);
..
..
1677 if (success == OPJ_FALSE) {
1678 j2k->state |= J2K_STATE_ERR;
1679 break;
However this error is not acknowledged by the upstream calling function j2k_decode() at:
2013 if (j2k->state == J2K_STATE_NEOC) {
2014 j2k_read_eoc(j2k);
2015 }
2016
So the calling stack is:
j2k_decode() < Not acknowledged here!
----> j2k_read_eoc() < Propagates here
----> tcd_decode_tile() < Error here
This results in the image being treated as valid, though it may be invalid, this can result in heap-buffer OOB read/write, depending on how the image is crafted
Created attachment 881241 [details]
Make sure error is propagated to the parent function
Acknowledgements: This issue was discovered by Martin Kyra of the Red Hat QE Team. Created openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1082996] Affects: epel-5 [bug 1082998] Created mingw-openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1082997] Looking into openjpeg-1.5.2, and the proposed patch here doesnt apply. the code prior to where this fit in now contains:
if (j2k->state == J2K_STATE_NEOC) {
j2k_read_eoc(j2k);
/* Check one last time for errors during decoding before returning */
if (j2k->state & J2K_STATE_ERR) {
opj_image_destroy(image);
return NULL;
}
}
Which looks like it may be sufficient.
I guess one difference is that this doesn't include: opj_event_msg(cinfo, EVT_ERROR, "Error in decoding tile\n"); This is a duplicate of CVE-2013-1447 as per: http://www.openwall.com/lists/oss-security/2014/04/02/2 *** This bug has been marked as a duplicate of bug 1037945 *** mingw-openjpeg-1.5.1-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. mingw-openjpeg-1.5.1-8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |