Out-of-Bounds Write issue caused by integer overflow that can occur in function convert_8u32s_C1R()(openjpeg-2.1.2/src/bin/jp2/convert.c:368). #871
Comments
|
Has been fixed by #895 |
|
The vulnerability described in this issue was assigned CVE-2016-9580 https://www.openwall.com/lists/oss-security/2016/12/09/4 The fix is not in #895. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
DESCRIPTION
There is an out-of-bound write issue caused by integer overflow that can occur in function convert_8u32s_C1R()(openjpeg-2.1.2/src/bin/jp2/convert.c:368).
This issue can be caused by a malformed TIFF file.
VERSION
OPENJPEG-2.1.2
Address Sanitizer Output
==61712==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006380 at pc 0x00000040f586 bp 0x7fffffff7d20 sp 0x7fffffff7d10
READ of size 1 at 0x619000006380 thread T0
#0 0x40f585 in convert_8u32s_C1R /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/convert.c:368
#1 0x4466ab in tiftoimage /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/converttif.c:1430
#2 0x40b941 in main /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/opj_compress.c:1739
#3 0x7ffff5df982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x4037f8 in _start (/home/kirito/Desktop/fuzz/openjpeg-2.1.2/build/asan-dbg-bin/tif_crashes/analysis/opj_compress+0x4037f8)
0x619000006380 is located 0 bytes to the right of 1024-byte region [0x619000005f80,0x619000006380)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4464d1 in tiftoimage /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/converttif.c:1399
#2 0x40b941 in main /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/opj_compress.c:1739
#3 0x7ffff5df982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/kirito/Desktop/fuzz/openjpeg-2.1.2/src/bin/jp2/convert.c:368 convert_8u32s_C1R
Shadow bytes around the buggy address:
0x0c327fff8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8c70:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==61712==ABORTING
Analysis and PoC
This attachment includes poc and ananalysis document.
poc1+analysis1.zip
Author
name: chunibalon of VARAS@IIE
email: chunibalon@gmail.com
The text was updated successfully, but these errors were encountered: