OPENJPEG null ptr dereference in openjpeg-2.3.0/src/bin/jp2/convert.c:2243

[yngweijs]

DESCRIPTION

OPENJPEG null ptr dereference in openjpeg-2.3.0/src/bin/jp2/convert.c:2243

VERSION
OPENJPEG-2.3.0

GDB Output

#0 0x0000555555560a5d in imagetopnm (image=0x555555a22660, outfile=0x7fffffffbcac "out.ppm", force_split=0) at /home/pwnjs/Desktop/openjpeg/openjpeg-2.3.0/src/bin/jp2/convert.c:2243
#1 0x000055555555a0e1 in main (argc=5, argv=0x7fffffffddf8) at /home/pwnjs/Desktop/openjpeg/openjpeg-2.3.0/src/bin/jp2/opj_decompress.c:1692
#2 0x00007ffff71e7b97 in __libc_start_main (main=0x5555555592ed

, argc=5, argv=0x7fffffffddf8, init=, fini=, rtld_fini=, stack_end=0x7fffffffdde8) at ../csu/libc-start.c:310
#3 0x00005555555567aa in _start ()

GDB Information

pwndbg> print red
$1 = (int *) 0x0
pwndbg> print image->comps[compno].data
$2 = (OPJ_INT32 *) 0x0
pwndbg> c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0000555555560a5d in imagetopnm (image=0x555555a22660, outfile=0x7fffffffbcac "out.ppm", force_split=0) at /home/pwnjs/Desktop/openjpeg/openjpeg-2.3.0/src/bin/jp2/convert.c:2243
2243 v = *red + adjustR;

Analysis

image->comps[compno].data = NULL and it was assigned to red, so the program accesses to red, segment fault occurs.

poc

Contact me if you need Poc file at yngweijs@gmail.com or mayfeelyang@gmail.com

[yngweijs]

291554_FlipDeter.zip

[szukw000]

@rouault ,
2018-10-09, openjpeg: Latest commit 0e6a555 17 days ago

I have made one change in opj_decompress.c and one in convert.c .

bin/opj_decompress -i 291554_FlipDeter -o 291554_FlipDeter.ppm

1. Result of change in opj_decompress.c :

===============================================
The extension of this file is incorrect.
    FOUND ''. SHOULD BE '.j2k or .jpc or .j2c'
===============================================

2. Result of change in convert.c:

imagetopnm data[1] == NULL
[ERROR] Outfile 291554_FlipDeter.ppm not generated

are_comps_similar() can not be used.

FlipDeter.dif.zip

If you agree, I'll create a PR.
winfried

[hlef]

This issue was assigned CVE-2018-18088.

FTR, how to reproduce: rename the poc "poc.jp2". Then, $ opj_decompress -i poc.jp2 -o /tmp/null.ppm

Analysis:

Image components might have NULL data pointer by defining a zero component size (in this case, zero component size is achieved by defining large horizontal sampling period dx = 254).

It looks very much like this NULL data pointer is a legit state, not handled at multiple places in the source code (not only in jp2!).

I'll submit a PR addressing these issues.

[hlef]

I have PRed a patch adressing this issue, see #1160.

[hlef]

@rouault this issue can be closed by the way, GitHub didn't recognize the "addresses"

[rouault]

ok, you need to add "fixes #XXXX" in the commit message so that github automatically closes an issue when a commit is merged