NULL point dereference in function imagetobmp of convertbmp.c

[YangY-Xiao]

DESCRIPTION
OPENJPEG null ptr dereference in convertbmp.c:980

VERSION
OPENJPEG-2.1.2

Address Sanitizer Output
==12736==ERROR: AddressSanitizer: SEGV on unknown address 0x00000f50 (pc 0x08150cc0 bp 0xbfad5d28 sp 0xbfad5cc0 T0)
#0 0x8150cbf (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x8150cbf)
#1 0x81371b8 (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x81371b8)
#2 0xb74a1636 (/lib/i386-linux-gnu/libc.so.6+0x18636)
#3 0x805f327 (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x805f327)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/yang/openjpeg/openjpeg-2.1.2/build-clang/bin/opj_decompress+0x8150cbf)

GDB Information
Program received signal SIGSEGV, Segmentation fault.
0x08055b57 in imagetobmp (image=0x93b15c0, outfile=0xbfa3efd4 "image.bmp") at /home/yang/openjpeg/openjpeg-2.1.2/src/bin/jp2/convertbmp.c:980
980 r = image->comps[0].data[w * h - ((i) / (w) + 1) * w + (i) % (w)];
(rr) p image->comps[0].data
$1 = (OPJ_INT32 *) 0x0

Analysis
step1: p_image_dest->comps[compno].data = NULL (image.c:185)
step2: opj_j2k_exec (p_j2k,p_j2k->m_procedure_list,p_stream,p_manager) (j2k.c:9969) ->
opj_j2k_decode_tiles(j2k.c:9723) -> opj_j2k_read_tile_header(j2k.c:7845)
p_j2k->m_specific_param.m_decoder.m_can_decode = 0 => p_go_on = 0 => l_go_on = 0(j2k.c:9756)
p_image_dest->comps[0].data was not assigned a value.
step3: convertbmp.c:980 the program accesses image->comps[0].data
However data is still NULL

Poc
Contact me if you need Poc file at YangX92@hotmail.com

[1ucian0]

Please, refer to this issue as CVE-2016-9113

[rouault]

@Young-X Please verify if that occurs still with latest master. If so, please attach the reproducer to the ticket

[carnil]

@Young-X can you please provide the reproducer?

[malaterre]

@Young-X are you still reading your github updates ?

[carnil]

@Young-X ping?

[YangY-Xiao]

Sorry for replying late.
I test the poc with the latest version. There is no crash.

[carnil]

Hi

On Tue, Oct 24, 2017 at 01:24:50AM +0000, Young-X wrote: Sorry for replying late. I test the poc with the latest version. There is no crash.

Thanks for confirming! Can you still provide the reproducer to this issue so that fixing commit can be isolated and fix for downstreams can be verified? Regards, Salvatore