sprintf buffer overflow in opj_compress/opj_decompress.c (parse_cmdline_encoder)

[robbiejones96]

A buffer overflow is possible in opj_compress and opj_decompress when using the -ImgDir -OutFor options.

Vulnerable Code: opj_compress.c:parse_cmdline_encoder

case 'O': {         /* output format */
            char outformat[50];
            char *of = opj_optarg;
            sprintf(outformat, ".%s", of);

The vulnerable code in opj_decompress.c is identical.

Reason: opj_optarg comes straight from argv, so no length checking is done to see if it fits in outformat. A malicious user can supply an output format whose length is greater than 50 characters, which results in a buffer overflow after the sprintf call.

Reproducing the attack:

./opj_compress -ImgDir Images -OutFor aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

"Images" can be any folder name, and here the OutForargument is 50 a's to overflow the buffer.

On my machine (ec2 t2-micro), using 1200 a's results in a segmentation fault.

Proposed mitigation:

Multiple ways to do this, for example you can allocate outformat using strlen(opj_optarg). Also there are no formats greater than 4 characters, so you can also verify the argument passed in is only 4 characters.

[robbiejones96]

This vulnerability is also present in opj_jpwl_compress/opj_jpwl_decompress in the parse_cmdline_encoder