CVE-2018-5727

Vulnerability

In OpenJPEG version 2.3.0, the opj_t1_encode_cblks function in openjp2/t1.c contains a signed integer overflow vulnerability [1]. When processing a specially crafted BMP file, the multiplication 322385710 * 64 overflows a 32-bit signed integer, leading to undefined behavior. This code path is reachable when using the opj_compress utility or any application that encodes images using the OpenJPEG library.

Exploitation

An attacker can exploit this vulnerability by providing a malicious BMP file to the opj_compress command (e.g., opj_compress -n 1 -i $POC -o /tmp/null.j2k) [1]. No authentication or special privileges are required; the attacker only needs to convince a user or automated system to process the crafted file. The overflow occurs during the encoding process, specifically in the T1 encoder.

Impact

Successful exploitation results in a denial of service (DoS) due to the integer overflow causing undefined behavior, typically manifesting as a crash or hang of the application. The vulnerability does not appear to allow arbitrary code execution or information disclosure based on the available reference.

Mitigation

As of the publication date (2018-01-16), no patched version of OpenJPEG was announced in the reference [1]. Users should update to the latest version of OpenJPEG, which may contain a fix for this issue. If an update is not possible, avoid processing untrusted BMP files with OpenJPEG-based tools.