-
Notifications
You must be signed in to change notification settings - Fork 466
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integer overflow in opj_t1_encode_cblks (src/lib/openjp2/t1.c) #1053
Comments
mark |
This issue was assigned CVE-2018-5727 |
cf. PR #757. I see two distinct issues here. First issue: This reproducer triggers a bug earlier, in src/bin/jp2/convertbmp.c (bmpmask32toimage):
Here, value is 2148742123 and blueMask is 3958107120 so value & blueMask (type OPJ_UINT32, 2147689440) becomes -2147277856 when cast to OPJ_INT32. These values are legit according to the BMP spec. This cast seems incorrect to me if value & blueMask > INT_MAX. Question: What is the meaning of negative data values in opj_image_comp_t ? / what is the expected format of data values in opj_image_comp_t ? Second issue:
The original code assumed that the first T1_NMSEDEC_FRACBITS (6) bits of tiledp[tileIndex] are all zero. I don't understand this assumption. This is wrong in several cases, e.g. when tiledp[tileIndex] is negative. The changes introduced by PR #757 didn't fix the actual issue, namely that something wrong is assumed about the format or value of tiledp[tileIndex]. |
Hello, Tested Systems: FreeBSD 12 & Ubuntu 18.04 LTS
Is this bug still relevant? |
Yes this bug is still affecting the master. Please make sure to build with at least |
So is it still affected? |
@ProbeFuzzer, @pesc , //---- [ERROR] Number of resolutions is too high in comparison to the size of tiles //---- //---- //---- //---- |
FYI: FreeBSD currently blocks the install of openjpeg due to CVE-2018-5727. This breaks other ports that depend on openjpeg. |
Just as a cross reference, there's a fairly long discussion regarding these vulns and work-arounds on the FreeeBSD Forum. |
As a workaround, you could set DISABLE_VULNERABILITIES to build openjpeg. It's described in /usr/ports/Mk/bsd.port.mk.
|
Fixes uclouvain#1053 / CVE-2018-5727 Note: I don't consider this issue to be a security vulnerability, in practice. At least with gcc or clang compilers on x86_64 which generate the same assembly code with or without that fix.
(This problem is discovered when UBSAN is enabled)
on openjpeg 2.3 (latest version):
there is a integer overflow in the opj_t1_encode_cblks function (src/lib/openjp2/t1.c), which could be triggered by the POC.
POC address: https://github.com/ProbeFuzzer/poc/blob/master/openjpeg/openjpeg_2-3_opj_compress_integer-overflow_opj_t1_encode_cblks.bmp
Command: opj_compress -n 1 -i $POC -o /tmp/null.j2k
openjpeg/master/src/src/lib/openjp2/t1.c:2173:55: runtime error: signed integer overflow: 322385710 * 64 cannot be represented in type 'int'
The text was updated successfully, but these errors were encountered: