oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Integer overflow in the JasPer's jas_matrix_create() function

From: cve-assign () mitre org
Date: Thu, 7 Jan 2016 21:41:57 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


https://bugzilla.redhat.com/show_bug.cgi?id=1294039



We find a vulnerability in the way JasPer's jas_matrix_create()
function parsed certain JPEG 2000 image files.

jas_matrix_t *jas_matrix_create(int numrows, int numcols)
{
        .......

        if (matrix->maxrows_ > 0) {
                if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ *
                  sizeof(jas_seqent_t *)))) {




matrix->maxrows_ > 0 ,but matrix->maxrows_ *sizeof(jas_seqent_t *)
can cause Integer overflow.

Despite this library is used by many programs
(http://www.ece.uvic.ca/~frodo/jasper/#overview), there is no one
providing support.


Use CVE-2015-8751.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWjyCOAAoJEL54rhJi8gl5RR4P/3pDkCnol/Y59Nv9pK1kgVr0
Mas2O+hkbbbQRKBtgPs01mACYZDjEontPtUib+oA2F0hFcb/TisQHf611b3SoDI+
vxoSMA/qCXO66l7wpE7FmTOPYDCErpLtWEuYGC152BtEsaENE1vIwRYWx4Jshlem
5XT8LATuUxAC82TObRMr1A5gvDcdgNV9vqmyoDtyAGU725wA9VXWgFAG/CYBbLUC
wzdqAQ3v1p0cDL63MWfg1vGIxkpY6P7dU8yfQUbBflstfKg5m+z6WmFZdmalJbeO
uo3bknyP651xKge8PDN6ftfJbsW15fOFM4M1a3Ei+hqylgbqDF0GbfHn7XP3cMZy
KN2a18Xpj09EWcmZAccaYR26Bc6KY5/9ss8akviQ/BkW2dhoDBdk5Rtt4Fj/w34e
o//6kv40U8BXa5HAwizagP3Ifzgc8SDXi1RRJgx42bKECrs2YWDNIG5h/+6rNVaV
+NV3wRvVc98akqsAz85h4M/OEYHEuhOTnN1TNolD6HqsLU3cQV/r36zXF9xzYOcw
m8Oc+Yyb6sWaMSmNQhwvVuyhtc7qtIA8yKEpeRfzIjJf861nYp+N9cTUbjW3+elx
zSOuxO6sWcJwQ91igQCILNe3CGPmUtQ1DIpdLPFNTUZ4EJyAuHQ6efqB3+U16kjb
6Suu6bvueINOqi+9q0Ff
=1CNW
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: