Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- > [Suggested description]
- > jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a
- > use-after-free that can be triggered if there is a mix of valid and
- > invalid files in a directory operated on by the decompressor.
- > Triggering a double-free may also be possible. This is related to
- > calling opj_image_destroy twice.
- >
- > ------------------------------------------
- >
- > [Additional Information]
- > The issue emerges on the fulfillment of these conditions:
- >
- > There are more than one files in the directory.
- > One of the files does not have a good header.
- > One of the files does have a good header.
- >
- > This means that opj_image_destroy is called twice on the same image.
- > The use-after-free is more specifically a read-after-free and occurs
- > when opj_image_destroy tries to read from the image after it has been
- > freed:
- >
- > 95 (image.c):
- > if (image->comps)
- >
- > On the first iteration of:
- >
- > 1395 (opj_decompress.c):
- > for (imageno = 0; imageno < num_images ; imageno++)
- > The image is destroyed as per:
- >
- > 1773 (opj_decompress.c):
- > /* free image data structure */
- > opj_image_destroy(image);
- > Then because there is a file in the Input/ directory, whose header
- > cannot be read, a second call to opj_image_destroy occurs on the
- > second iteration of the for loop at image.c:1395
- >
- > 1480 (opj_decompress.c):
- > if (! opj_read_header(l_stream, l_codec, &image)) {
- > fprintf(stderr, "ERROR -> opj_decompress: failed to read the header\n");
- > opj_stream_destroy(l_stream);
- > opj_destroy_codec(l_codec);
- > opj_image_destroy(image);
- > failed = 1;
- > goto fin;
- > }
- >
- > Note that there is a second iteration because that's how many files there are in the Input/ directory.
- >
- > ------------------------------------------
- >
- > [VulnerabilityType Other]
- > Use-after-free
- >
- > ------------------------------------------
- >
- > [Vendor of Product]
- > OpenJPEG
- >
- > ------------------------------------------
- >
- > [Affected Product Code Base]
- > OpenJPEG - 2.3.1
- >
- > ------------------------------------------
- >
- > [Affected Component]
- > /src/lib/openjp2/opj_malloc.c, /src/lib/openjp2/image.c, /src/bin/jp2/opj_decompress.c
- >
- > ------------------------------------------
- >
- > [Attack Type]
- > Context-dependent
- >
- > ------------------------------------------
- >
- > [Impact Code execution]
- > true
- >
- > ------------------------------------------
- >
- > [CVE Impact Other]
- > It may or may not lead to code execution in the case that malloc's freelist can be tampered with in a controller manner.
- >
- > ------------------------------------------
- >
- > [Attack Vectors]
- > To exploit this vulnerability, someone must be induced to run the
- > decompressor on a crafted directory which contains at least one valid
- > .jp2 file and at least one invalid file. I used a .jp2 file and a .jpm
- > file placed in an Inputs/ directory along with the command:
- > ./opj_decompress -ImgDir Inputs/ -OutFor PGM
- >
- > ------------------------------------------
- >
- > [Reference]
- > https://github.com/uclouvain/openjpeg/issues/1261
- >
- > ------------------------------------------
- >
- > [Has vendor confirmed or acknowledged the vulnerability?]
- > true
- >
- > ------------------------------------------
- >
- > [Discoverer]
- > Jayden Awarau
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement