CVE-2016-5157 OpenJPEG opj_dwt_interleave_v Out-of-Bounds Write Vulnerability

# OpenJPEG opj_dwt_interleave_v Out-of-Bounds Write Vulnerability ## 1. About OpenJPEG OpenJPEG is an open-source JPEG 2000 codec written in C language. It's widely used in lots of Linux OSes such as Ubuntu, RedHat, Debian, Fedora, and so on. The official repository of the OpenJPEG project is available at [GitHub](https://github.com/uclouvain/openjpeg). ## 2. Credit This vulnerability was discovered by Ke Liu of Tencent's Xuanwu LAB. ## 3. Testing Environments + **OS**: Ubuntu + **OpenJPEG**: [4a2a869](https://github.com/uclouvain/openjpeg/archive/4a2a8693e5a02207a8813b02a375abdc4e43c49b.zip) (Master version before Aug/6/2016) + **Compiler**: Clang + **CFLAGS**: ``-g -O0 -fsanitize=address`` ## 4. Reproduce Steps Please copy file ``poc.jp2`` to directory ``openjpeg/bin`` before executing ``opj_decompress``. ``` wget https://github.com/uclouvain/openjpeg/archive/4a2a8693e5a02207a8813b02a375abdc4e43c49b.zip unzip -q 4a2a8693e5a02207a8813b02a375abdc4e43c49b.zip mv openjpeg-4a2a8693e5a02207a8813b02a375abdc4e43c49b openjpeg cd openjpeg export CC='/usr/bin/clang -g -O0 -fsanitize=address' cmake . make cd bin ./opj_decompress -o image.pgm -i poc.jp2 ``` ## 5. Vulnerability Details This is a heap buffer overflow vulnerability. AddressSanitizer output the following exception information. ``` ==38575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000001e7c at pc 0x7f3ab84a5a57 bp 0x7ffc2a7f1c50 sp 0x7ffc2a7f1c48 WRITE of size 4 at 0x619000001e7c thread T0 #0 0x7f3ab84a5a56 in opj_dwt_interleave_v openjpeg/src/lib/openjp2/dwt.c:268:11 #1 0x7f3ab849ddca in opj_dwt_decode_tile openjpeg/src/lib/openjp2/dwt.c:609:4 #2 0x7f3ab849d101 in opj_dwt_decode openjpeg/src/lib/openjp2/dwt.c:477:9 #3 0x7f3ab8574f5e in opj_tcd_dwt_decode openjpeg/src/lib/openjp2/tcd.c:1619:31 #4 0x7f3ab85747ea in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1306:20 #5 0x7f3ab84c2deb in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8134:15 #6 0x7f3ab84f0b44 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9761:23 #7 0x7f3ab84b98dd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41 #8 0x7f3ab84cc9ae in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9959:15 #9 0x7f3ab8507cae in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1492:8 #10 0x7f3ab8524976 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10 #11 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10 #12 0x7f3ab6c8182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 #13 0x41a978 in _start (openjpeg/bin/opj_decompress+0x41a978) 0x619000001e7c is located 4 bytes to the left of 1028-byte region [0x619000001e80,0x619000002284) allocated by thread T0 here: #0 0x4bb380 in __interceptor_posix_memalign (openjpeg/bin/opj_decompress+0x4bb380) #1 0x7f3ab857e0a0 in opj_aligned_alloc_n openjpeg/src/lib/openjp2/opj_malloc.c:61:7 #2 0x7f3ab857df0e in opj_aligned_malloc openjpeg/src/lib/openjp2/opj_malloc.c:208:10 #3 0x7f3ab849d55e in opj_dwt_decode_tile openjpeg/src/lib/openjp2/dwt.c:576:22 #4 0x7f3ab849d101 in opj_dwt_decode openjpeg/src/lib/openjp2/dwt.c:477:9 #5 0x7f3ab8574f5e in opj_tcd_dwt_decode openjpeg/src/lib/openjp2/tcd.c:1619:31 #6 0x7f3ab85747ea in opj_tcd_decode_tile openjpeg/src/lib/openjp2/tcd.c:1306:20 #7 0x7f3ab84c2deb in opj_j2k_decode_tile openjpeg/src/lib/openjp2/j2k.c:8134:15 #8 0x7f3ab84f0b44 in opj_j2k_decode_tiles openjpeg/src/lib/openjp2/j2k.c:9761:23 #9 0x7f3ab84b98dd in opj_j2k_exec openjpeg/src/lib/openjp2/j2k.c:7350:41 #10 0x7f3ab84cc9ae in opj_j2k_decode openjpeg/src/lib/openjp2/j2k.c:9959:15 #11 0x7f3ab8507cae in opj_jp2_decode openjpeg/src/lib/openjp2/jp2.c:1492:8 #12 0x7f3ab8524976 in opj_decode openjpeg/src/lib/openjp2/openjpeg.c:412:10 #13 0x4f166f in main openjpeg/src/bin/jp2/opj_decompress.c:1332:10 #14 0x7f3ab6c8182f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-buffer-overflow openjpeg/src/lib/openjp2/dwt.c:268:11 in opj_dwt_interleave_v Shadow bytes around the buggy address: 0x0c327fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff83a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c327fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x0c327fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==38575==ABORTING ``` ## 6. Timeline + 2016.07.31 - Found + 2016.08.24 - Reported to OpenJPEG via [email protected] + 2016.09.08 - Fixed + 2016.09.08 - Publicly disclosed ## 7. References + [OpenJPEG Patch](https://github.com/uclouvain/openjpeg/commit/e078172b1c3f98d2219c37076b238fb759c751ea) + [oss-sec CVE Request](http://seclists.org/oss-sec/2016/q3/438) ## 8. Remarks I found this issue independently but Google Chrome also got a report of this issue from another security researcher. So the CVE number was the same as CVE-2016-5157 which was issued for Google Chrome. However, I found and reported this issue to OpenJPEG before Google released a security advisory.