> [Suggested description]> jp2/opj_decompress.c in OpenJPEG through 2.3.1 has

1. > [Suggested description]
2. > jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a
3. > use-after-free that can be triggered if there is a mix of valid and
4. > invalid files in a directory operated on by the decompressor.
5. > Triggering a double-free may also be possible. This is related to
6. > calling opj_image_destroy twice.
7. >
8. > ------------------------------------------
9. >
10. > [Additional Information]
11. > The issue emerges on the fulfillment of these conditions:
12. >
13. > There are more than one files in the directory.
14. > One of the files does not have a good header.
15. > One of the files does have a good header.
16. >
17. > This means that opj_image_destroy is called twice on the same image.
18. > The use-after-free is more specifically a read-after-free and occurs
19. > when opj_image_destroy tries to read from the image after it has been
20. > freed:
21. >
22. > 95 (image.c):
23. > if (image->comps)
24. >
25. > On the first iteration of:
26. >
27. > 1395 (opj_decompress.c):
28. > for (imageno = 0; imageno < num_images ; imageno++)
29. > The image is destroyed as per:
30. >
31. > 1773 (opj_decompress.c):
32. > /* free image data structure */
33. > opj_image_destroy(image);
34. > Then because there is a file in the Input/ directory, whose header
35. > cannot be read, a second call to opj_image_destroy occurs on the
36. > second iteration of the for loop at image.c:1395
37. >
38. > 1480 (opj_decompress.c):
39. > if (! opj_read_header(l_stream, l_codec, &image)) {
40. > fprintf(stderr, "ERROR -> opj_decompress: failed to read the header\n");
41. > opj_stream_destroy(l_stream);
42. > opj_destroy_codec(l_codec);
43. > opj_image_destroy(image);
44. > failed = 1;
45. > goto fin;
46. > }
47. >
48. > Note that there is a second iteration because that's how many files there are in the Input/ directory.
49. >
50. > ------------------------------------------
51. >
52. > [VulnerabilityType Other]
53. > Use-after-free
54. >
55. > ------------------------------------------
56. >
57. > [Vendor of Product]
58. > OpenJPEG
59. >
60. > ------------------------------------------
61. >
62. > [Affected Product Code Base]
63. > OpenJPEG - 2.3.1
64. >
65. > ------------------------------------------
66. >
67. > [Affected Component]
68. > /src/lib/openjp2/opj_malloc.c, /src/lib/openjp2/image.c, /src/bin/jp2/opj_decompress.c
69. >
70. > ------------------------------------------
71. >
72. > [Attack Type]
73. > Context-dependent
74. >
75. > ------------------------------------------
76. >
77. > [Impact Code execution]
78. > true
79. >
80. > ------------------------------------------
81. >
82. > [CVE Impact Other]
83. > It may or may not lead to code execution in the case that malloc's freelist can be tampered with in a controller manner.
84. >
85. > ------------------------------------------
86. >
87. > [Attack Vectors]
88. > To exploit this vulnerability, someone must be induced to run the
89. > decompressor on a crafted directory which contains at least one valid
90. > .jp2 file and at least one invalid file. I used a .jp2 file and a .jpm
91. > file placed in an Inputs/ directory along with the command:
92. > ./opj_decompress -ImgDir Inputs/ -OutFor PGM
93. >
94. > ------------------------------------------
95. >
96. > [Reference]
97. > https://github.com/uclouvain/openjpeg/issues/1261
98. >
99. > ------------------------------------------
100. >
101. > [Has vendor confirmed or acknowledged the vulnerability?]
102. > true
103. >
104. > ------------------------------------------
105. >
106. > [Discoverer]
107. > Jayden Awarau