[3.2] openjpeg: Double free and use after free vulnerabilies
Double free vulnerability (CVE-2015-6581)
Double free vulnerability in the
opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in
OpenJPEG
before r3002, as used in PDFium in Google Chrome before 45.0.2454.85,
allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory corruption) by
triggering a memory-allocation failure.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6581
https://code.google.com/p/openjpeg/issues/detail?id=492
Patch:
https://github.com/uclouvain/openjpeg/commit/0fa5a17c98c4b8f9ee2286f4f0a50cf52a5fccb0
Use-after-free vulnerability was found in j2k.c in opj_j2k_write_mco function.
‘l_current_data’ is set to
‘p_j2k->m_specific_param.m_encoder.m_header_tile_data’,
‘p_j2k->m_specific_param.m_encoder.m_header_tile_data’ is
later used as arg of ‘realloc’
and can be freed depending on the length of ‘l_mco_size’,
‘l_current_data’ is later used and can point to a freed memory zone
This one is still waiting for a CVE:
http://seclists.org/oss-sec/2015/q3/550
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=1263359
Patch:
https://github.com/uclouvain/openjpeg/commit/940100c28ae28931722290794889cf84a92c5f6f
(from redmine: issue id 4754, created on 2015-10-08, closed on 2015-10-14)
- Relations:
- parent #4752 (closed)
- Changesets:
- Revision 761b7d00 by Natanael Copa on 2015-10-14T08:47:35Z:
main/openjpg: security fix for CVE-2015-6581
also add upstream fix a potensial use-after-free
ref #4752
fixes #4754