OpenJPEG Heap Buffer Write Vulnerability in JP2 Header Processing

A heap buffer write vulnerability has been identified in OpenJPEG versions through 2.5.3. The issue arises in the 'opj_jp2_read_header' function, where an uninitialized pointer can lead to an out-of-bounds write in heap memory. This occurs when the data stream is too short and the image pointer is not properly initialized before the header is read.

Impact

Exploitation of this vulnerability allows for a heap-use-after-free condition, which can lead to arbitrary memory overwrites. In the context of OpenCV, this vulnerability was demonstrated to cause a use-after-free error that could be exploited to overwrite memory with controlled values, potentially leading to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using OpenCV to decode a crafted JPEG 2000 image that exploits the uninitialized pointer in the 'opj_jp2_read_header' function. This can be done by creating a JPEG 2000 file that triggers the vulnerability, such as one that is missing required data, and then using OpenCV's 'imdecode' function to process the image. The issue can be detected by compiling OpenCV with AddressSanitizer, which will report the heap-use-after-free error.

Remediation

Users can upgrade to OpenJPEG versions 2.5.4 or later, where this vulnerability has been fixed.