Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer Overflow in num_images #1338

Closed
NigelX opened this issue Mar 24, 2021 · 10 comments · Fixed by #1395
Closed

Integer Overflow in num_images #1338

NigelX opened this issue Mar 24, 2021 · 10 comments · Fixed by #1395

Comments

@NigelX
Copy link

NigelX commented Mar 24, 2021

Hello openjpeg2 team,
I found an integer overflow vulnerability in the command line options.

-ImgDir

If there are many files in the imgdir directory The number of files read by opj_compress will overflow.

openjpeg2(tested with revision * master 0bda718).

run commd

./opj_compress -ImgDir testcase/ -OutFor outcase/t.jp2 

asan info

Folder opened successfully
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==1852564==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000001183310 (pc 0x7ffff764cefa bp 0x0000000fffff sp 0x7fffffff3988 T1852564)
==1852564==The signal is caused by a WRITE memory access.
    #0 0x7ffff764cefa  /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/strcpy-avx2.S:630
    #1 0x42d9a5 in load_images /home/test/Downloads/openjpeg/src/bin/jp2/opj_compress.c:508:9
    #2 0x429366 in main /home/test/Downloads/openjpeg/src/bin/jp2/opj_compress.c:1924:13
    #3 0x7ffff74e70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x408c7d in _start (/home/test/Downloads/openjpeg/fast_build64/bin/opj_compress+0x408c7d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /build/glibc-eX1tMB/glibc-2.31/string/../sysdeps/x86_64/multiarch/strcpy-avx2.S:630 
==1852564==ABORTING

image1

When num_images is equal to 1048576, multiplying with OPJ_PATH_LEN will produce an overflow result of 0

poc.zip


HX from Topsec alpha Security Team

@carnil
Copy link

carnil commented Apr 14, 2021

This appears to have been assigned CVE-2021-29338

@Abhishek-sin
Copy link

Is there any manual fix we can use/apply here till we get an patch update ??

@stevebeattie
Copy link

It looks like the pull request #1346 is intended to cover this issue as well; I believe Alpine Linux has already released an update for the issue with an earlier iteration of the proposed pull request.

@tony--
Copy link

tony-- commented Jun 29, 2021

#1346 was replaced with f0629cb. Does that mean CVE-2021-29338 is fixed in master, @rouault?

@rouault
Copy link
Collaborator

rouault commented Jun 29, 2021

#1346 was replaced with f0629cb. Does that mean CVE-2021-29338 is fixed in master, @rouault?

I don't think so. I don't see f0629cb changing the code path pointed above

@baparham
Copy link
Contributor

now that we might be back after some time away, I'll ping again but over in this issue. @rouault or @kaniini are there any plans or PRs in the works to fix this cve since it was not included in f0629cb and #1346 wasn't merged fully?

@rouault
Copy link
Collaborator

rouault commented Jan 12, 2022

are there any plans or PRs in the works to fix this cve since it was not included in f0629cb and #1346 wasn't merged fully?

if you believe there's something left to fix, please issue a pull request to fix it. That's the effective way to make changes happen

@baparham
Copy link
Contributor

I understand and agree, but I am not really good at c these days. Since you and @kaniini have previously made changes in this area, I figured either of you two would be the quickest at making such a PR, and ensuring that it actually is correct. A PR from me would basically be trying to copy and paste code from @kaniini where it fits the latest master code, which seems inappropriate and bug prone.

Either way, it sounds like the answer is no, so I'll try and cobble something together (just what you want to hear when fixing a CVE :-) ) and see if the CI and reviewers like it.

baparham added a commit to baparham/openjpeg that referenced this issue Jan 12, 2022
@baparham
Copy link
Contributor

Is it possible to confirm that this issue doesn't affect the lib code? I'm not really sure how they are intertwined, but for example, pdfium in the chromium project seems to just makes use of the code under lib (reference) which to me seems to indicate that it is not vulnerable to this CVE.

thoughts?

@rouault
Copy link
Collaborator

rouault commented Jan 12, 2022

Is it possible to confirm that this issue doesn't affect the lib code?

if the code source changes are in src/bin/ only, it means that it affects only the utilities

rouault pushed a commit that referenced this issue Jan 12, 2022
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Feb 15, 2022
CVE: CVE-2021-29338

Ref:
* uclouvain/openjpeg#1338

Signed-off-by: Kai Kang <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Feb 16, 2022
CVE: CVE-2021-29338

Ref:
* uclouvain/openjpeg#1338

Signed-off-by: Kai Kang <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
kraj pushed a commit to YoeDistro/meta-openembedded that referenced this issue Feb 16, 2022
CVE: CVE-2021-29338

Ref:
* uclouvain/openjpeg#1338

Signed-off-by: Kai Kang <[email protected]>
Signed-off-by: Khem Raj <[email protected]>
halstead pushed a commit to openembedded/meta-openembedded that referenced this issue Feb 23, 2022
CVE: CVE-2021-29338

Ref:
* uclouvain/openjpeg#1338

Signed-off-by: Kai Kang <[email protected]>
Signed-off-by: Armin Kuster <[email protected]>
amstewart pushed a commit to ni/meta-openembedded that referenced this issue May 2, 2022
CVE: CVE-2021-29338

Ref:
* uclouvain/openjpeg#1338

Signed-off-by: Kai Kang <[email protected]>
Signed-off-by: Armin Kuster <[email protected]>
daregit pushed a commit to daregit/yocto-combined that referenced this issue May 22, 2024
daregit pushed a commit to daregit/yocto-combined that referenced this issue May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants