Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2016-10504] Out-of-Bounds Write in opj_mqc_byteout of mqc.c #835

Closed
trylab opened this issue Sep 13, 2016 · 1 comment
Closed

[CVE-2016-10504] Out-of-Bounds Write in opj_mqc_byteout of mqc.c #835

trylab opened this issue Sep 13, 2016 · 1 comment
Labels
bug
Milestone
OPJ v2.1.3

Comments

@trylab
Copy link
Contributor

trylab commented Sep 13, 2016

DESCRIPTION

An Out-of-Bounds Write issue can be occurred in function opj_mqc_byteout of mqc.c during executing opj_compress. This issue was caused by a malformed BMP file.

CREDIT

This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB.

TESTED VERSION

Master version of OpenJPEG (805972f, 2016/09/12)

EXCEPTION LOG

==119535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eeb5 
 at pc 0x7f1b2f0154c2 bp 0x7ffec8559cc0 sp 0x7ffec8559cb8
WRITE of size 1 at 0x60200000eeb5 thread T0
    #0 0x7f1b2f0154c1 in opj_mqc_byteout openjpeg-master/src/lib/openjp2/mqc.c:221:13
    #1 0x7f1b2f014bec in opj_mqc_flush openjpeg-master/src/lib/openjp2/mqc.c:421:2
    #2 0x7f1b2f042190 in opj_t1_encode_cblk openjpeg-master/src/lib/openjp2/t1.c:1685:3
    #3 0x7f1b2f040929 in opj_t1_encode_cblks openjpeg-master/src/lib/openjp2/t1.c:1539:7
    #4 0x7f1b2f06950d in opj_tcd_t1_encode openjpeg-master/src/lib/openjp2/tcd.c:2052:15
    #5 0x7f1b2f067b66 in opj_tcd_encode_tile openjpeg-master/src/lib/openjp2/tcd.c:1240:23
    #6 0x7f1b2efecc4f in opj_j2k_write_sod openjpeg-master/src/lib/openjp2/j2k.c:4358:15
    #7 0x7f1b2efea900 in opj_j2k_write_first_tile_part openjpeg-master/src/lib/openjp2/j2k.c:10659:15
    #8 0x7f1b2efc6d65 in opj_j2k_post_write_tile openjpeg-master/src/lib/openjp2/j2k.c:10448:15
    #9 0x7f1b2efc52c7 in opj_j2k_encode openjpeg-master/src/lib/openjp2/j2k.c:10199:23
    #10 0x7f1b2f00367c in opj_jp2_encode openjpeg-master/src/lib/openjp2/jp2.c:1955:9
    #11 0x7f1b2f01b304 in opj_encode openjpeg-master/src/lib/openjp2/openjpeg.c:737:11
    #12 0x4edc7d in main openjpeg-master/src/bin/jp2/opj_compress.c:1877:36
    #13 0x7f1b2d77682f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #14 0x41a898 in _start (openjpeg-master/bin/opj_compress+0x41a898)

0x60200000eeb5 is located 0 bytes to the right of 5-byte region [0x60200000eeb0,0x60200000eeb5)
allocated by thread T0 here:
    #0 0x4ba9c8 in malloc (openjpeg-master/bin/opj_compress+0x4ba9c8)
    #1 0x7f1b2f07369c in opj_malloc openjpeg-master/src/lib/openjp2/opj_malloc.c:195:10
    #2 0x7f1b2f06ed5f in opj_tcd_code_block_enc_allocate_data openjpeg-master/src/lib/openjp2/tcd.c:1097:36
    #3 0x7f1b2f0664b0 in opj_tcd_init_tile openjpeg-master/src/lib/openjp2/tcd.c:1023:14
    #4 0x7f1b2f0604e6 in opj_tcd_init_encode_tile openjpeg-master/src/lib/openjp2/tcd.c:1055:9
    #5 0x7f1b2efc57d3 in opj_j2k_pre_write_tile openjpeg-master/src/lib/openjp2/j2k.c:10300:15
    #6 0x7f1b2efc4d8d in opj_j2k_encode openjpeg-master/src/lib/openjp2/j2k.c:10146:23
    #7 0x7f1b2f00367c in opj_jp2_encode openjpeg-master/src/lib/openjp2/jp2.c:1955:9
    #8 0x7f1b2f01b304 in opj_encode openjpeg-master/src/lib/openjp2/openjpeg.c:737:11
    #9 0x4edc7d in main openjpeg-master/src/bin/jp2/opj_compress.c:1877:36
    #10 0x7f1b2d77682f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg-master/src/lib/openjp2/mqc.c:221:13 in opj_mqc_byteout
Shadow bytes around the buggy address:
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 05 fa
  0x0c047fff9da0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa
  0x0c047fff9db0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa
  0x0c047fff9dc0: fa fa 00 01 fa fa 05 fa fa fa 00 01 fa fa 05 fa
=>0x0c047fff9dd0: fa fa 00 01 fa fa[05]fa fa fa 00 01 fa fa 00 fa
  0x0c047fff9de0: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 04 fa
  0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==119535==ABORTING
@trylab
Copy link
Contributor Author

trylab commented Sep 13, 2016

proof-of-concept file

@malaterre malaterre added this to the OPJ v2.1.2 milestone Sep 20, 2016
@detonin detonin modified the milestones: OPJ v2.1.2, OPJ v2.1.3 Sep 29, 2016
rouault added a commit that referenced this issue Jul 29, 2017
@rouault
Fix write heap buffer overflow in opj_mqc_byteout(). Discovered by Ke…
397f62c 
… Liu of Tencent's Xuanwu LAB (#835)
@rouault rouault closed this as completed Jul 29, 2017
@detonin detonin added the bug label Aug 3, 2017
@trylab trylab changed the title Out-of-Bounds Write in opj_mqc_byteout of mqc.c [CVE-2016-10504] Out-of-Bounds Write in opj_mqc_byteout of mqc.c Aug 30, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
OPJ v2.1.3
Development

No branches or pull requests
4 participants
@malaterre @detonin @rouault @trylab