CVE-2020-27814

Vulnerability

A heap-buffer overflow vulnerability exists in the opj_mqc_byteout function in lib/openjp2/mqc.c of OpenJPEG version 2.3.1 and potentially earlier versions [1][2]. The flaw occurs during the encoding of a PNG image into a JPEG 2000 stream, triggered via the opj_compress utility with the -M 3 flag. The overflow is a write of size 1 at an address 0 bytes to the right of a heap buffer, as reported by AddressSanitizer [1]. The vulnerable code path involves the MQ (Mellin–Quisquater) coder used in the JPEG 2000 compression process.

Exploitation

An attacker can exploit this vulnerability by supplying a specially crafted PNG file to the opj_compress tool (or any application using the OpenJPEG library to encode images). No authentication or special privileges are required; the attacker only needs the ability to deliver the malicious file to the victim. The exploitation sequence is: the victim runs opj_compress -i malicious.png -o output.j2k -M 3, which triggers the heap-buffer overflow in opj_mqc_byteout during the tile encoding phase [1]. The error was discovered using a fuzzer with AddressSanitizer [2].

Impact

Successful exploitation could lead to an application crash (denial of service) or, in some cases, arbitrary code execution with the privileges of the user running the application [1][2]. The vulnerability allows an out-of-bounds write, which may be leveraged for remote code execution if the attacker can control the overflow data [2].

Mitigation

The vulnerability is fixed in OpenJPEG version 2.4.0 [3]. Users should upgrade to this version or later. For distributions such as Gentoo, the update is available as >=media-libs/openjpeg-2.4.0:2 [3]. No known workaround exists for unpatched versions; users relying on OpenJPEG for PNG-to-JPEG2000 encoding should apply the patch immediately [3]. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.