{"id":2043,"date":"2017-08-28T16:28:23","date_gmt":"2017-08-28T14:28:23","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=2043"},"modified":"2017-08-31T09:16:51","modified_gmt":"2017-08-31T07:16:51","slug":"openjpeg-invalid-memory-write-in-tgatoimage-convert-c","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/08\/28\/openjpeg-invalid-memory-write-in-tgatoimage-convert-c\/","title":{"rendered":"openjpeg: invalid memory write in tgatoimage (convert.c)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.openjpeg.org\">openjpeg<\/a> is an open-source JPEG 2000 library.<\/p>\n<p>The complete ASan output of the issue:<\/p>\n<pre><font size=\"2\"># opj_compress -r 20,10,1 -jpip -EPH -SOP -cinema2K 24 -n 1 -i $FILE -o null.j2k\r\nASAN:DEADLYSIGNAL                                                                                                                                                                                                 \r\n=================================================================                                                                                                                                                 \r\n==13239==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4f2e9b4800 (pc 0x00000052264a bp 0x7ffff176def0 sp 0x7ffff176dde0 T0)                                                                               \r\n==13239==The signal is caused by a WRITE memory access.                                                                                                                                                           \r\n    #0 0x522649 in tgatoimage \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/bin\/jp2\/convert.c:928:45                                                                                           \r\n    #1 0x50b4e6 in main \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/bin\/jp2\/opj_compress.c:1881:21                                                                                           \r\n    #2 0x7f5de2316680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                                                                                    \r\n    #3 0x41bc18 in _start (\/usr\/bin\/opj_compress+0x41bc18)                                                                                                                                                        \r\n                                                                                                                                                                                                                  \r\nAddressSanitizer can not provide additional info.                                                                                                                                                                 \r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/media-libs\/openjpeg-9999\/work\/openjpeg-9999\/src\/bin\/jp2\/convert.c:928:45 in tgatoimage                                                                           \r\n==13239==ABORTING                                                                                                                                                                                                 \r\nCINEMA 2K profile activated                                                                                                                                                                                       \r\nOther options specified could be overridden\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\nMaster at 2017-08-17 and maybe paste releases<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/uclouvain\/openjpeg\/commit\/2cd30c2b06ce332dede81cccad8b334cde997281\">https:\/\/github.com\/uclouvain\/openjpeg\/commit\/2cd30c2b06ce332dede81cccad8b334cde997281<\/a><\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-14040<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00326-openjpeg-invalidwrite-tgatoimage\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00326-openjpeg-invalidwrite-tgatoimage<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-08-17: bug discovered and reported to upstream<br \/>\n2017-08-17: upstream released a patch<br \/>\n2017-08-28: blog post about the issue<br \/>\n2017-08-30: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was identified with bare metal servers donated by <a href=\"https:\/\/www.packet.net\/\">Packet<\/a>. This work is also supported by the <a href=\"https:\/\/www.coreinfrastructure.org\">Core Infrastructure Initiative<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"S7vKh0rLTt\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/08\/28\/openjpeg-invalid-memory-write-in-tgatoimage-convert-c\/\">openjpeg: invalid memory write in tgatoimage (convert.c)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/08\/28\/openjpeg-invalid-memory-write-in-tgatoimage-convert-c\/embed\/#?secret=S7vKh0rLTt\" data-secret=\"S7vKh0rLTt\" width=\"600\" height=\"338\" title=\"&#8220;openjpeg: invalid memory write in tgatoimage (convert.c)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: openjpeg is an open-source JPEG 2000 library. The complete ASan output of the issue: # opj_compress -r 20,10,1 -jpip -EPH -SOP -cinema2K 24 -n 1 -i $FILE -o null.j2k ASAN:DEADLYSIGNAL ================================================================= ==13239==ERROR: AddressSanitizer: SEGV on unknown address 0x7f4f2e9b4800 (pc &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/08\/28\/openjpeg-invalid-memory-write-in-tgatoimage-convert-c\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-wX","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2043"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=2043"}],"version-history":[{"count":6,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2043\/revisions"}],"predecessor-version":[{"id":2099,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/2043\/revisions\/2099"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=2043"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=2043"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=2043"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}