OpenJPEG 'mqc.c' Remote Heap Based Buffer Overflow Vulnerability

OpenJPEG is prone to a remote heap-based buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. Due to the nature of this issue, arbitrary code execution may be possible but this has not been confirmed.

Versions prior to OpenJPEG 2.2.0 are vulnerable.

Information

Bugtraq ID: 100564
Class: Boundary Condition Error
CVE: CVE-2016-10504

Remote: Yes
Local: No
Published: Aug 30 2017 12:00AM
Updated: Aug 30 2017 12:00AM
Credit: Ke Liu of Tencent's Xuanwu LAB
Vulnerable: OpenJPEG OpenJPEG 2.1.2
OpenJPEG OpenJPEG 2.1.1
OpenJPEG OpenJPEG 2.1
OpenJPEG OpenJPEG 1.5
OpenJPEG OpenJPEG 2.0.0
OpenJPEG OpenJPEG 1.5.2
OpenJPEG OpenJPEG 1.5.1
OpenJPEG OpenJPEG 1.5
OpenJPEG OpenJPEG 1.4
OpenJPEG OpenJPEG 1.3
OpenJPEG OpenJPEG 1.0

Not Vulnerable: OpenJPEG OpenJPEG 2.2.0

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• [CVE-2016-10504] Out-of-Bounds Write in opj_mqc_byteout of mqc.c #835 (OpenJPEG)
  
• Comparing changes (OpenJPEG)
  
• Fix write heap buffer overflow in opj_mqc_byteout(). #835 (OpenJPEG)
  
• OpenJPEG Homepage (OpenJPEG)
  

Source: www.securityfocus.com