CVE-2016-1924 OpenJPEG opj_tgt_reset Out-of-Bounds Read Vulnerability

# CVE-2016-1924 OpenJPEG opj_tgt_reset Out-of-Bounds Read Vulnerability ## 1. About OpenJPEG OpenJPEG is an open-source JPEG 2000 codec written in C language. It's widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at [GitHub](https://github.com/uclouvain/openjpeg). ## 2. Credit This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. ## 3. Testing Environments + **OS**: Ubuntu + **OpenJPEG**: [44a499f](https://github.com/uclouvain/openjpeg/archive/44a499f2acf10b55172d07abf387e5a579a585f7.zip) (Master version before May/6/2016) + **Compiler**: Clang + **CFLAGS**: ``-g -O0 -fsanitize=address`` ## 4. Reproduce Steps Please copy file ``poc.j2k`` to directory ``openjpeg/bin`` before executing ``opj_decompress``. ``` wget https://github.com/uclouvain/openjpeg/archive/44a499f2acf10b55172d07abf387e5a579a585f7.zip unzip -q 44a499f2acf10b55172d07abf387e5a579a585f7.zip mv openjpeg-44a499f2acf10b55172d07abf387e5a579a585f7 openjpeg cd openjpeg export CC='/usr/bin/clang -g -O0 -fsanitize=address' cmake . make cd bin ./opj_decompress -o image.pgm -i poc.j2k ``` ## 5. Vulnerability Details AddressSanitizer output the following exception information. ``` ==118102==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8002 (pc 0x7fed0283b093 bp 0x7ffed1ced650 sp 0x7ffed1ced5e0 T0) #0 0x7fed0283b092 in opj_tgt_reset openjpeg/src/lib/openjp2/tgt.c:241:34 #1 0x7fed0281cc26 in opj_t2_read_packet_header openjpeg/src/lib/openjp2/t2.c:874:33 #2 0x7fed0281bb4e in opj_t2_decode_packet openjpeg/src/lib/openjp2/t2.c:536:15 #3 0x7fed0281b0c5 in opj_t2_decode_packets openjpeg/src/lib/openjp2/t2.c:422:39 #4 0x7fed028347df in opj_tcd_t2_decode openjpeg/src/lib/openjp2/tcd.c:1546:15 #5 0x7fed02834512 in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1285:15 #6 0x7fed02782cfb in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8134:15 #7 0x7fed027b09d4 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9757:23 #8 0x7fed027797ed in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41 #9 0x7fed0278c8be in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9955:15 #10 0x7fed027e4806 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10 #11 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10 #12 0x7fed00f4182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #13 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV openjpeg/src/lib/openjp2/tgt.c:241:34 in opj_tgt_reset ==118102==ABORTING ``` ## 6. Timeline + 2016.05.05 - Found + 2016.05.06 - Reported to OpenJPEG via [Issue775](https://github.com/uclouvain/openjpeg/issues/775) + 2016.05.09 - Fixed ## 7. Remarks This issue was found by limingxing on Jan/18/2016 and disclosed the details at [oss-sec/2016/q1/128](http://seclists.org/oss-sec/2016/q1/128), and CVE-2016-1924 was assigned for this issue. However, limingxing did not report this issue to OpenJPEG's official developer so it didn't get fixed. On May/5/2016, I found it independently and reported it OpenJPEG's official developer. OpenJPEG fixed it on May/9/2016 after I reported it. The following message was copied from [oss-sec/2016/q2/333](http://seclists.org/oss-sec/2016/q2/333). > From: WinsonLiu <stackexploit () gmail com> > >> From: Moritz Muehlenhoff <jmm () debian org> >> >>> From: WinsonLiu <stackexploit () gmail com> >>> >>> Hi, >>> Some security issues of OpenJPEG have been fixed. Please consider assigning CVE numbers to them. >>> 2. Issue 775 >>> OpenJPEG Out-of-Bounds Access in function opj_tgt_reset of tgt.c >>> Fixed via https://github.com/uclouvain/openjpeg/commit/1a8318f6c24623189ecb65e049267c6f2e005c0e >> >>Is that a different issue than CVE-2016-1924? > >You are right. Issue 775 was a duplicate of CVE-2016-1924. > >I didn't notice that limingxing has been reported this issue (reported at >http://seclists.org/oss-sec/2016/q1/128 and assigned CVE-2016-1924). I have >tested the proof-of-concept file supplied by limingxing and confirmed that >issue 775 was a duplicate of CVE-2016-1924. It seems that limingxing did >not report it to the official developers because I could not find any >information about this issue on GitHub and the official developers did not >fix it for a long time. I thought this was a new issue and reported it to >them after I did some fuzz testing. Anyway, this issue has been fixed by >the official developers now. > >Regards, >Ke Liu of Tencent's Xuanwu LAB