uclouvain/openjpeg

Bypasses all current error checking in opj_decompress and still triggers resource exhaustion

pic4xiu opened this issue · 1 comments

pic4xiu commented

When I was fuzzing, I found a file that can bypass all current error checks. This file can cause program denial of service, similar to cve-2019-6988.

Expected behavior and actual behavior.

The program finds hardware limitations and directly refuses to parse.

But the program took up my memory, causing resource exhaustion, my system is ubuntu20, but I also tested it on windows, the effect is the same

pic@pic-RESCUER-R720-15IKBN:~/Download/openjpeg/build/bin$ ./opj_decompress -i 2000 -o te.raw

===========================================
The extension of this file is incorrect.
FOUND 2000. SHOULD BE .j2k or .jpc or .j2c or .jhc
===========================================

[INFO] Start to read j2k main header (0).
[WARNING] Cannot take in charge mct data within multiple MCT records
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
Killed

pic@pic-RESCUER-R720-15IKBN:~/Download/openjpeg/build/bin$ dmesg | egrep -i -B100 'killed process'
[ 7139.855289] [   1293]   126  1293    80741      237   102400        0             0 gsd-housekeepin
[ 7139.855291] [   1294]   126  1294    87156      708   151552        0             0 gsd-power
[ 7139.855292] [   1295]   126  1295    43827      173    98304        0             0 ibus-engine-sim
...
[ 7139.855480] [   5572]  1000  5572  3831508  3752527 30732288    74122             0 opj_decompress
[ 7139.855482] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-1000.slice/user@1000.service,task=opj_decompress,pid=5572,uid=1000
[ 7139.855492] Out of memory: Killed process 5572 (opj_decompress) total-vm:15326032kB, anon-rss:15010108kB, file-rss:0kB, shmem-rss:0kB, UID:1000 pgtables:30012kB oom_score_adj:0

Steps to reproduce the problem.

The poc is here

Run: opj_decompress -i poc -o te.raw

Operating system

ubuntu20/windows10

openjpeg version

OpenJPEG 2.5.0

pedrohc commented

CVE-2023-39328 was assigned for this issue. Please let me know if you wish to dipuste/reject it.