Bug 1082925 - openjpeg: Heap-based buffer overflow in JPEG2000 image tile decoder
openjpeg: Heap-based buffer overflow in JPEG2000 image tile decoder
Status: CLOSED DUPLICATE of bug 1037945
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140401,repor...
: Security
Depends On: CVE-2013-1447 1038411 1082995 1082996 1082997 1082998
Blocks: 1082926
  Show dependency treegraph
 
Reported: 2014-04-01 02:20 EDT by Huzaifa S. Sidhpurwala
Modified: 2016-03-04 05:58 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-02 04:58:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Make sure error is propagated to the parent function (610 bytes, patch)
2014-04-01 04:23 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff

  None (edit)
Description Huzaifa S. Sidhpurwala 2014-04-01 02:20:47 EDT
A heap-based buffer overflow was found in the way openjpeg parsed certain image files from a JPEG2000 image. If a specially-crafted image were opened by an application linked against OpenJPEG, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
Comment 1 Huzaifa S. Sidhpurwala 2014-04-01 02:29:47 EDT

When decoding the specially-crafted image, tcd_decode_tile() fails at:

1400         if (tilec->data == NULL)
1401         {
1402             opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
1403             return OPJ_FALSE;
1404         }

It returns OPJ_FALSE, which is recorded into j2k->state in j2k_read_eoc() at:

1670                                 success = tcd_decode_tile(tcd, j2k->tile_data[tileno], j2k->tile_len[tileno], tileno, j2k->cstr_info);

..
..

1677                         if (success == OPJ_FALSE) {
1678                                 j2k->state |= J2K_STATE_ERR;
1679                                 break;

However this error is not acknowledged by the upstream calling function j2k_decode() at:

2013         if (j2k->state == J2K_STATE_NEOC) {
2014                 j2k_read_eoc(j2k);
2015         }
2016 

So the calling stack is:

j2k_decode()                   < Not acknowledged here!
----> j2k_read_eoc()           < Propagates here
      ----> tcd_decode_tile()  < Error here

This results in the image being treated as valid, though it may be invalid, this can result in heap-buffer OOB read/write, depending on how the image is crafted
Comment 2 Huzaifa S. Sidhpurwala 2014-04-01 04:23:50 EDT
Created attachment 881241 [details]
Make sure error is propagated to the parent function
Comment 4 Huzaifa S. Sidhpurwala 2014-04-01 05:50:37 EDT
Acknowledgements:

This issue was discovered by Martin Kyra of the Red Hat QE Team.
Comment 6 Huzaifa S. Sidhpurwala 2014-04-01 05:55:05 EDT
Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1082996]
Affects: epel-5 [bug 1082998]
Comment 7 Huzaifa S. Sidhpurwala 2014-04-01 05:55:08 EDT
Created mingw-openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1082997]
Comment 8 Rex Dieter 2014-04-01 12:23:58 EDT
Looking into openjpeg-1.5.2, and the proposed patch here doesnt apply.  the code prior to where this fit in now contains:

        if (j2k->state == J2K_STATE_NEOC) {
                j2k_read_eoc(j2k);
                /* Check one last time for errors during decoding before returning */
                if (j2k->state & J2K_STATE_ERR) {
                        opj_image_destroy(image);
                        return NULL;
                }
        }


Which looks like it may be sufficient.
Comment 9 Rex Dieter 2014-04-01 12:25:14 EDT
I guess one difference is that this doesn't include:
opj_event_msg(cinfo, EVT_ERROR, "Error in decoding tile\n");
Comment 10 Huzaifa S. Sidhpurwala 2014-04-02 04:58:06 EDT
This is a duplicate of CVE-2013-1447 as per:

http://www.openwall.com/lists/oss-security/2014/04/02/2

*** This bug has been marked as a duplicate of bug 1037945 ***
Comment 11 Fedora Update System 2014-04-15 11:37:19 EDT
mingw-openjpeg-1.5.1-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2014-04-15 11:44:22 EDT
mingw-openjpeg-1.5.1-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.