Lucene search
BinvulH1:167947HistorySep 13, 2016 - 8:07 a.m.
Internet Bug Bounty: CVE-2016-3183 OpenJPEG sycc422_to_rgb Out-of-Bounds Read Vulnerability
2016-09-1308:07:54
binvul
hackerone.com
26
0.008 Low
EPSS
Percentile
82.0%
CVE-2016-3183 OpenJPEG sycc422_to_rgb Out-of-Bounds Read Vulnerability
1. About OpenJPEG
OpenJPEG is an open-source JPEG 2000 codec written in C language. It’s widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at GitHub.
2. Credit
This vulnerability was discovered by Ke Liu of Tencent’s Xuanwu LAB.
3. Testing Environments
- OS: Ubuntu
- OpenJPEG: 0069a2b (Master version before Mar/14/2016)
- Compiler: Clang
- CFLAGS:
-g -O0 -fsanitize=address
4. Reproduce Steps
Please copy file poc.j2k to directory openjpeg/bin before executing opj_decompress.
wget https://github.com/uclouvain/openjpeg/archive/0069a2bd2f8055b7edf9699332f4f00ac5351564.zip
unzip -q 0069a2bd2f8055b7edf9699332f4f00ac5351564.zip
mv openjpeg-0069a2bd2f8055b7edf9699332f4f00ac5351564 openjpeg
cd openjpeg
export CC='/usr/bin/clang -g -O0 -fsanitize=address'
cmake .
make
cd bin
./opj_decompress -o image.pgm -i poc.j2k
5. Vulnerability Details
AddressSanitizer output the following exception information.
==116421==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x633000018c00
at pc 0x000000529f98 bp 0x7ffe75bda580 sp 0x7ffe75bda578
READ of size 4 at 0x633000018c00 thread T0
#0 0x529f97 in sycc422_to_rgb openjpeg/src/bin/common/color.c:148:33
#1 0x527625 in color_sycc_to_rgb openjpeg/src/bin/common/color.c:286:3
#2 0x4f1f5b in main openjpeg/src/bin/jp2/opj_decompress.c:1375:4
#3 0x7f14c593182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
#4 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978)
0x633000018c00 is located 0 bytes to the right of 99328-byte region [0x633000000800,0x633000018c00)
allocated by thread T0 here:
#0 0x4bac30 in calloc (openjpeg/bin/opj_decompress+0x4bac30)
#1 0x7f14c722d764 in opj_calloc openjpeg/src/lib/openjp2/opj_malloc.c:203:10
#2 0x7f14c71a0e7a in opj_j2k_update_image_data openjpeg/src/lib/openjp2/j2k.c:8212:62
#3 0x7f14c71a0886 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9752:23
#4 0x7f14c71693fd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7341:41
#5 0x7f14c717c44e in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9943:15
#6 0x7f14c71d4356 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10
#7 0x4f1627 in main openjpeg/src/bin/jp2/opj_decompress.c:1330:10
#8 0x7f14c593182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/bin/common/color.c:148:33 in sycc422_to_rgb
Shadow bytes around the buggy address:
0x0c667fffb130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c667fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c667fffb180:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb1a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c667fffb1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==116421==ABORTING
6. Timeline
- 2016.03.10 - Found
- 2016.03.14 - Reported to OpenJPEG via Issue726
- 2016.04.30 - Fixed
Related
prion
prion
Out-of-bounds
2017-02-03 16:59:00
debiancve
debiancve
CVE-2016-3183
2017-02-03 16:59:00
cve
cve
CVE-2016-3183
2017-02-03 16:59:00
ubuntucve
ubuntucve
CVE-2016-3183
2017-02-03 00:00:00
osv
osv
CVE-2016-3183
2017-02-03 16:59:00
nvd
nvd
CVE-2016-3183
2017-02-03 16:59:00
cvelist
cvelist
CVE-2016-3183
2017-02-03 16:00:00
nessus
nessus
Fedora 23 : openjpeg2 (2016-d2ab705e4a)
2016-07-18 00:00:00
Fedora 23 : mingw-openjpeg2 (2016-14d8f9b4ed)
2016-07-19 00:00:00
Fedora 24 : openjpeg2 (2016-abdc548f46)
2016-07-15 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: mingw-openjpeg2-2.1.1-1.fc24
2016-07-18 18:37:00
[SECURITY] Fedora 23 Update: mingw-openjpeg2-2.1.1-1.fc23
2016-07-18 21:00:23
[SECURITY] Fedora 23 Update: openjpeg2-2.1.1-1.fc23
2016-07-16 21:21:40
openvas
openvas
Fedora Update for openjpeg2 FEDORA-2016-abdc548f46
2016-08-02 00:00:00
Fedora Update for openjpeg2 FEDORA-2016-d2ab705e4a
2016-08-02 00:00:00
Fedora Update for mingw-openjpeg2 FEDORA-2016-14d8f9b4ed
2016-08-02 00:00:00
gentoo
gentoo
OpenJPEG: Multiple vulnerabilities
2016-12-08 00:00:00
mageia
mageia
Updated openjpeg2 packages fix security vulnerabilities
2016-11-03 12:02:50
oracle
oracle
Oracle Critical Patch Update Advisory - July 2020
2020-07-14 00:00:00