NVIDIA nvJPEG2000 Heap-Based Buffer Overflow Vulnerability Allowing Code Execution
Vulnerability
A heap-based buffer overflow vulnerability has been identified in the NVIDIA nvJPEG2000 library version 0.8.0. This vulnerability arises in the Ndecomp parameter handling when parsing JPEG2000 files. An attacker can exploit this issue by providing a specially crafted JPEG2000 file, leading to memory corruption and arbitrary code execution.
Impact
Exploitation of this vulnerability causes a heap-based buffer overflow, allowing for memory corruption and arbitrary code execution.
Reproduction
The vulnerability can be reproduced by using the nvJPEG2000 library to process a crafted JPEG2000 file that exploits the buffer overflow in the Ndecomp parameter. This can be done using a simple C++ program that links against the nvJPEG2000 library and uses the 'operator new' to allocate memory. The crafted JPEG2000 file should be designed to trigger the buffer overflow by manipulating the COC segment's Ndecomp value, causing the library to overwrite adjacent memory on the heap.
Remediation
Users are advised to upgrade to NVIDIA nvJPEG2000 version 0.8.1, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.