A heap-based buffer overflow was found in the way openjpeg parsed certain image files from a JPEG2000 image. If a specially-crafted image were opened by an application linked against OpenJPEG, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.
When decoding the specially-crafted image, tcd_decode_tile() fails at: 1400 if (tilec->data == NULL) 1401 { 1402 opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n"); 1403 return OPJ_FALSE; 1404 } It returns OPJ_FALSE, which is recorded into j2k->state in j2k_read_eoc() at: 1670 success = tcd_decode_tile(tcd, j2k->tile_data[tileno], j2k->tile_len[tileno], tileno, j2k->cstr_info); .. .. 1677 if (success == OPJ_FALSE) { 1678 j2k->state |= J2K_STATE_ERR; 1679 break; However this error is not acknowledged by the upstream calling function j2k_decode() at: 2013 if (j2k->state == J2K_STATE_NEOC) { 2014 j2k_read_eoc(j2k); 2015 } 2016 So the calling stack is: j2k_decode() < Not acknowledged here! ----> j2k_read_eoc() < Propagates here ----> tcd_decode_tile() < Error here This results in the image being treated as valid, though it may be invalid, this can result in heap-buffer OOB read/write, depending on how the image is crafted
Created attachment 881241 [details] Make sure error is propagated to the parent function
Acknowledgements: This issue was discovered by Martin Kyra of the Red Hat QE Team.
Created openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1082996] Affects: epel-5 [bug 1082998]
Created mingw-openjpeg tracking bugs for this issue: Affects: fedora-all [bug 1082997]
Looking into openjpeg-1.5.2, and the proposed patch here doesnt apply. the code prior to where this fit in now contains: if (j2k->state == J2K_STATE_NEOC) { j2k_read_eoc(j2k); /* Check one last time for errors during decoding before returning */ if (j2k->state & J2K_STATE_ERR) { opj_image_destroy(image); return NULL; } } Which looks like it may be sufficient.
I guess one difference is that this doesn't include: opj_event_msg(cinfo, EVT_ERROR, "Error in decoding tile\n");
This is a duplicate of CVE-2013-1447 as per: http://www.openwall.com/lists/oss-security/2014/04/02/2 *** This bug has been marked as a duplicate of bug 1037945 ***
mingw-openjpeg-1.5.1-8.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
mingw-openjpeg-1.5.1-8.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.