null ptr dereference in convert.c:1331

[STARLABSEC]

Vulnerability

openjpeg null ptr dereference in convert.c:1331

Version

git head version ( https://github.com/uclouvain/openjpeg/ )

Address Sanitizer Output

ASAN:SIGSEGV

==7358==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000 (pc 0x0815d204 bp 0xff846938 sp 0xff846380 T0)
#0 0x815d203 in skip_white /home/starlab/fuzzing/openjpeg/src/bin/jp2/convert.c:1331
#1 0x8135d81 in main /home/starlab/fuzzing/openjpeg/src/bin/jp2/opj_compress.c:1723
#2 0xf7343636 in __libc_start_main ??:?
#3 0x807a31b in _start ??:?

PoC

See poc.ppm

Analysis

In convert.c:1483 and convert.c:1485, variable s is uncheck after skip_int is called.
A null ptr will be passed to skip_int again and will cause a null ptr dereference.

Report Timeline

2016-09-16: FB3F15 of STARLAB discovered this issue

Credit

FB3F15 of STARLAB

PoC

Contact us if you need PoC file

[szukw000]

@STARLABSEC ,
can you upload that file or give a link to that file?

winfried

[STARLABSEC]

@szukw000
https://github.com/STARLABSEC/pocs/raw/master/openjpeg-nullptr-github-issue-842.ppm

[szukw000]

@STARLABSEC,

did you yourself change the PPM file? Or did OpenJPEG-2.0.0 create that file?
The ppm.dif shows the bug.

After changing 'convert.c' I got the message:

bin/opj_compress -i openjpeg-nullptr-github-issue-842.ppm -o out.j2k

convert.c:1586:OK(0) width(255) height(0) depth(0)
Unable to load pnm file

The respective patch should be applied.

winfried

openjpeg-nullptr-github-issue-842.ppm-dif.txt

[STARLABSEC]

@szukw000
We created it by ourselves.
The patch is ok, please apply it.

[szukw000]

@stweil ,

the patch is applied. I failed to create a github patch.

winfried
fixpnmtoimage_dif.txt