Bug 1082925 - openjpeg: Heap-based buffer overflow in JPEG2000 image tile decoder
Summary: openjpeg: Heap-based buffer overflow in JPEG2000 image tile decoder
Keywords:
Status: CLOSED DUPLICATE of bug 1037945
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: CVE-2013-1447 1038411 1082995 1082996 1082997 1082998
Blocks: 1082926
TreeView+ depends on / blocked
 
Reported: 2014-04-01 06:20 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-09-29 13:15 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-04-02 08:58:06 UTC


Attachments (Terms of Use)
Make sure error is propagated to the parent function (610 bytes, patch)
2014-04-01 08:23 UTC, Huzaifa S. Sidhpurwala
no flags Details | Diff

Description Huzaifa S. Sidhpurwala 2014-04-01 06:20:47 UTC
A heap-based buffer overflow was found in the way openjpeg parsed certain image files from a JPEG2000 image. If a specially-crafted image were opened by an application linked against OpenJPEG, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

Comment 1 Huzaifa S. Sidhpurwala 2014-04-01 06:29:47 UTC

When decoding the specially-crafted image, tcd_decode_tile() fails at:

1400         if (tilec->data == NULL)
1401         {
1402             opj_event_msg(tcd->cinfo, EVT_ERROR, "Out of memory\n");
1403             return OPJ_FALSE;
1404         }

It returns OPJ_FALSE, which is recorded into j2k->state in j2k_read_eoc() at:

1670                                 success = tcd_decode_tile(tcd, j2k->tile_data[tileno], j2k->tile_len[tileno], tileno, j2k->cstr_info);

..
..

1677                         if (success == OPJ_FALSE) {
1678                                 j2k->state |= J2K_STATE_ERR;
1679                                 break;

However this error is not acknowledged by the upstream calling function j2k_decode() at:

2013         if (j2k->state == J2K_STATE_NEOC) {
2014                 j2k_read_eoc(j2k);
2015         }
2016 

So the calling stack is:

j2k_decode()                   < Not acknowledged here!
----> j2k_read_eoc()           < Propagates here
      ----> tcd_decode_tile()  < Error here

This results in the image being treated as valid, though it may be invalid, this can result in heap-buffer OOB read/write, depending on how the image is crafted

Comment 2 Huzaifa S. Sidhpurwala 2014-04-01 08:23:50 UTC
Created attachment 881241 [details]
Make sure error is propagated to the parent function

Comment 4 Huzaifa S. Sidhpurwala 2014-04-01 09:50:37 UTC
Acknowledgements:

This issue was discovered by Martin Kyra of the Red Hat QE Team.

Comment 6 Huzaifa S. Sidhpurwala 2014-04-01 09:55:05 UTC
Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1082996]
Affects: epel-5 [bug 1082998]

Comment 7 Huzaifa S. Sidhpurwala 2014-04-01 09:55:08 UTC
Created mingw-openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1082997]

Comment 8 Rex Dieter 2014-04-01 16:23:58 UTC
Looking into openjpeg-1.5.2, and the proposed patch here doesnt apply.  the code prior to where this fit in now contains:

        if (j2k->state == J2K_STATE_NEOC) {
                j2k_read_eoc(j2k);
                /* Check one last time for errors during decoding before returning */
                if (j2k->state & J2K_STATE_ERR) {
                        opj_image_destroy(image);
                        return NULL;
                }
        }


Which looks like it may be sufficient.

Comment 9 Rex Dieter 2014-04-01 16:25:14 UTC
I guess one difference is that this doesn't include:
opj_event_msg(cinfo, EVT_ERROR, "Error in decoding tile\n");

Comment 10 Huzaifa S. Sidhpurwala 2014-04-02 08:58:06 UTC
This is a duplicate of CVE-2013-1447 as per:

http://www.openwall.com/lists/oss-security/2014/04/02/2

*** This bug has been marked as a duplicate of bug 1037945 ***

Comment 11 Fedora Update System 2014-04-15 15:37:19 UTC
mingw-openjpeg-1.5.1-8.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2014-04-15 15:44:22 UTC
mingw-openjpeg-1.5.1-8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.