malformed jp2 can cause heap-buffer-overflow #909
Labels
Comments
|
Nice work. Keep these fuzz reports coming ! |
rouault
added a commit
that referenced
this issue
Jul 29, 2017
…ensions to void read heap buffer overflow (#909)
|
Can I request CVE number for this issue? |
|
@jakkdu You can proceed with requesting a CVE number |
|
Thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, all.
Using SymExec + Fuzzing, I found a bug in openjpeg.
Here is the file that causes a crash and ASAN result.
Thank you!
=========================================== The extension of this file is incorrect. FOUND ep:4. SHOULD BE .jp2 =========================================== /home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/src/bin/common/color.c:350:color_sycc_to_rgb CAN NOT CONVERT ================================================================= ==68855== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60740000ed00 at pc 0x420fef bp 0x7fffffff9020 sp 0x7fffffff9018 READ of size 4 at 0x60740000ed00 thread T0 #0 0x420fee (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/opj_decompress+0x420fee) #1 0x4062b4 (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/opj_decompress+0x4062b4) #2 0x7ffff3df7f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44) #3 0x402df8 (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/opj_decompress+0x402df8) 0x60740000ed00 is located 0 bytes to the right of 9216-byte region [0x60740000c900,0x60740000ed00) allocated by thread T0 here: #0 0x7ffff4e604e5 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x154e5) #1 0x7ffff4c229e8 (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/libopenjp2.so.2.2.0+0xb29e8) #2 0x7ffff4b8ec3c (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/libopenjp2.so.2.2.0+0x1ec3c) #3 0x7ffff4bb09a0 (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/libopenjp2.so.2.2.0+0x409a0) #4 0x7ffff4b9d487 (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/libopenjp2.so.2.2.0+0x2d487) #5 0x7ffff4bb556d (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/libopenjp2.so.2.2.0+0x4556d) #6 0x7ffff4bbf218 (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/libopenjp2.so.2.2.0+0x4f218) #7 0x7ffff4bc4ecd (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/libopenjp2.so.2.2.0+0x54ecd) #8 0x405f04 (/home/insu/projects/qsym-eval/apps/openjpeg/openjpeg/build-asan/bin/opj_decompress+0x405f04) #9 0x7ffff3df7f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44) Shadow bytes around the buggy address: 0x0c0effff9d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0effff9d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0effff9d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0effff9d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c0effff9d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c0effff9da0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0effff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0effff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0effff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0effff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0effff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==68855== ABORTINGThe text was updated successfully, but these errors were encountered: