[3.3] openjpeg: Double free and use after free vulnerabilies
Double free vulnerability (CVE-2015-6581)
Double free vulnerability in the
opj_j2k_copy_default_tcp_and_create_tcd function in j2k.c in
before r3002, as used in PDFium in Google Chrome before 45.0.2454.85, allows remote attackers to execute
arbitrary code or cause a denial of service (heap memory corruption) by triggering a memory-allocation failure.
Use-after-free vulnerability was found in j2k.c in opj_j2k_write_mco function.
‘l_current_data’ is set to
‘p_j2k->m_specific_param.m_encoder.m_header_tile_data’ is later used as arg of ‘realloc’
and can be freed depending on the length of ‘l_mco_size’,
‘l_current_data’ is later used and can point to a freed memory zone
This one is still waiting for a CVE:
(from redmine: issue id 4753, created on 2015-10-08, closed on 2015-10-14)
- parent #4752 (closed)
- Revision 35be8d73 by Natanael Copa on 2015-10-14T08:46:28Z:
main/openjpg: security fix for CVE-2015-6581 also add upstream fix a potensial use-after-free ref #4752 fixes #4753