Bug 1267983 - (CVE-2015-6581) CVE-2015-6581 openjpeg: Double free vulnerability in opj_j2k_copy_default_tcp_and_create_tcd
CVE-2015-6581 openjpeg: Double free vulnerability in opj_j2k_copy_default_tcp...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1267986 1267987 1267988 1267989
Blocks: 1267985
  Show dependency treegraph
Reported: 2015-10-01 10:06 EDT by Adam Mariš
Modified: 2015-10-28 00:42 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-28 00:42:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-10-01 10:06:56 EDT
Double-free vulnerability was found in opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 45.0.2454.85, allowing remote attacker to execute arbitrary code or cause a denial of service (heap memory corruption) by triggering a memory-allocation failure.

The opj_j2k_copy_default_tcp_and_create_tcp() function memcpy's a top-level
struct and then replaces pointers to memory owned by the original struct
with new blocks of memory. Unfortunately, an early return can leave the
copy with pointers to memory it doesn't own, which causes problems when
cleaning up the partially-initialized struct.

Upstream bug:


Upstream patch:

Comment 1 Adam Mariš 2015-10-01 10:15:45 EDT
Created openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1267987]
Comment 2 Adam Mariš 2015-10-01 10:15:50 EDT
Created mingw-openjpeg tracking bugs for this issue:

Affects: fedora-all [bug 1267988]
Comment 3 Adam Mariš 2015-10-01 10:15:54 EDT
Created openjpeg2 tracking bugs for this issue:

Affects: fedora-all [bug 1267989]
Comment 4 Huzaifa S. Sidhpurwala 2015-10-28 00:42:23 EDT
Please Note:

This seems to be valid for openjpeg2 only. The code has been redesigned completely and the upstream patch only applies to the openjpeg2 code. There's no such function call in openjpeg 1.5.1. (As per bug #1267987). Since Red Hat Enterprise Linux does not ship openjpeg2, it is not affected.


Not vulnerable. This issue did not affect the versions of openjpeg as shipped
with Red Hat Enterprise Linux 6 and 7.

Note You need to log in before you can comment on or make changes to this bug.