Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypasses all current error checking in opj_decompress and still triggers resource exhaustion #1471

Open
pic4xiu opened this issue Jun 30, 2023 · 1 comment
Open

Bypasses all current error checking in opj_decompress and still triggers resource exhaustion #1471

pic4xiu opened this issue Jun 30, 2023 · 1 comment

Comments

@pic4xiu
Copy link

pic4xiu commented Jun 30, 2023
edited
Loading

When I was fuzzing, I found a file that can bypass all current error checks. This file can cause program denial of service, similar to cve-2019-6988.

Expected behavior and actual behavior.

The program finds hardware limitations and directly refuses to parse.

But the program took up my memory, causing resource exhaustion, my system is ubuntu20, but I also tested it on windows, the effect is the same

pic@pic-RESCUER-R720-15IKBN:~/Download/openjpeg/build/bin$ ./opj_decompress -i 2000 -o te.raw

===========================================
The extension of this file is incorrect.
FOUND 2000. SHOULD BE .j2k or .jpc or .j2c or .jhc
===========================================

[INFO] Start to read j2k main header (0).
[WARNING] Cannot take in charge mct data within multiple MCT records
[INFO] Main header has been correctly decoded.
[INFO] No decoded area parameters, set the decoded area to the whole image
Killed

pic@pic-RESCUER-R720-15IKBN:~/Download/openjpeg/build/bin$ dmesg | egrep -i -B100 'killed process'
[ 7139.855289] [   1293]   126  1293    80741      237   102400        0             0 gsd-housekeepin
[ 7139.855291] [   1294]   126  1294    87156      708   151552        0             0 gsd-power
[ 7139.855292] [   1295]   126  1295    43827      173    98304        0             0 ibus-engine-sim
...
[ 7139.855480] [   5572]  1000  5572  3831508  3752527 30732288    74122             0 opj_decompress
[ 7139.855482] oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/user.slice/user-1000.slice/[email protected],task=opj_decompress,pid=5572,uid=1000
[ 7139.855492] Out of memory: Killed process 5572 (opj_decompress) total-vm:15326032kB, anon-rss:15010108kB, file-rss:0kB, shmem-rss:0kB, UID:1000 pgtables:30012kB oom_score_adj:0

Steps to reproduce the problem.

The poc is here

Run: opj_decompress -i poc -o te.raw

Operating system

ubuntu20/windows10

openjpeg version

OpenJPEG 2.5.0
@pic4xiu pic4xiu changed the title Bypasses all current error checking and still triggers resource exhaustion Bypasses all current error checking in opj_decompress and still triggers resource exhaustion Jun 30, 2023
@LOURC0D3 LOURC0D3 mentioned this issue Aug 5, 2023
Closed
@pedrohc
Copy link

pedrohc commented Jul 4, 2024
edited
Loading

CVE-2023-39328 was assigned for this issue. Please let me know if you wish to dipuste/reject it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pedrohc @pic4xiu