Guest User

Untitled

a guest
Jun 29th, 2020
557
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. > [Suggested description]
  2. > jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a
  3. > use-after-free that can be triggered if there is a mix of valid and
  4. > invalid files in a directory operated on by the decompressor.
  5. > Triggering a double-free may also be possible. This is related to
  6. > calling opj_image_destroy twice.
  7. >
  8. > ------------------------------------------
  9. >
  10. > [Additional Information]
  11. > The issue emerges on the fulfillment of these conditions:
  12. >
  13. > There are more than one files in the directory.
  14. > One of the files does not have a good header.
  15. > One of the files does have a good header.
  16. >
  17. > This means that opj_image_destroy is called twice on the same image.
  18. > The use-after-free is more specifically a read-after-free and occurs
  19. > when opj_image_destroy tries to read from the image after it has been
  20. > freed:
  21. >
  22. > 95 (image.c):
  23. > if (image->comps)
  24. >
  25. > On the first iteration of:
  26. >
  27. > 1395 (opj_decompress.c):
  28. > for (imageno = 0; imageno < num_images ; imageno++)
  29. > The image is destroyed as per:
  30. >
  31. > 1773 (opj_decompress.c):
  32. > /* free image data structure */
  33. > opj_image_destroy(image);
  34. > Then because there is a file in the Input/ directory, whose header
  35. > cannot be read, a second call to opj_image_destroy occurs on the
  36. > second iteration of the for loop at image.c:1395
  37. >
  38. > 1480 (opj_decompress.c):
  39. > if (! opj_read_header(l_stream, l_codec, &image)) {
  40. > fprintf(stderr, "ERROR -> opj_decompress: failed to read the header\n");
  41. > opj_stream_destroy(l_stream);
  42. > opj_destroy_codec(l_codec);
  43. > opj_image_destroy(image);
  44. > failed = 1;
  45. > goto fin;
  46. > }
  47. >
  48. > Note that there is a second iteration because that's how many files there are in the Input/ directory.
  49. >
  50. > ------------------------------------------
  51. >
  52. > [VulnerabilityType Other]
  53. > Use-after-free
  54. >
  55. > ------------------------------------------
  56. >
  57. > [Vendor of Product]
  58. > OpenJPEG
  59. >
  60. > ------------------------------------------
  61. >
  62. > [Affected Product Code Base]
  63. > OpenJPEG - 2.3.1
  64. >
  65. > ------------------------------------------
  66. >
  67. > [Affected Component]
  68. > /src/lib/openjp2/opj_malloc.c, /src/lib/openjp2/image.c, /src/bin/jp2/opj_decompress.c
  69. >
  70. > ------------------------------------------
  71. >
  72. > [Attack Type]
  73. > Context-dependent
  74. >
  75. > ------------------------------------------
  76. >
  77. > [Impact Code execution]
  78. > true
  79. >
  80. > ------------------------------------------
  81. >
  82. > [CVE Impact Other]
  83. > It may or may not lead to code execution in the case that malloc's freelist can be tampered with in a controller manner.
  84. >
  85. > ------------------------------------------
  86. >
  87. > [Attack Vectors]
  88. > To exploit this vulnerability, someone must be induced to run the
  89. > decompressor on a crafted directory which contains at least one valid
  90. > .jp2 file and at least one invalid file. I used a .jp2 file and a .jpm
  91. > file placed in an Inputs/ directory along with the command:
  92. > ./opj_decompress -ImgDir Inputs/ -OutFor PGM
  93. >
  94. > ------------------------------------------
  95. >
  96. > [Reference]
  97. > https://github.com/uclouvain/openjpeg/issues/1261
  98. >
  99. > ------------------------------------------
  100. >
  101. > [Has vendor confirmed or acknowledged the vulnerability?]
  102. > true
  103. >
  104. > ------------------------------------------
  105. >
  106. > [Discoverer]
  107. > Jayden Awarau
RAW Paste Data