oss-sec mailing list archives
Re: Integer overflow in the JasPer's jas_matrix_create() function
From: cve-assign () mitre org
Date: Thu, 7 Jan 2016 21:41:57 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
https://bugzilla.redhat.com/show_bug.cgi?id=1294039
We find a vulnerability in the way JasPer's jas_matrix_create() function parsed certain JPEG 2000 image files. jas_matrix_t *jas_matrix_create(int numrows, int numcols) { ....... if (matrix->maxrows_ > 0) { if (!(matrix->rows_ = jas_malloc(matrix->maxrows_ * sizeof(jas_seqent_t *)))) {
matrix->maxrows_ > 0 ,but matrix->maxrows_ *sizeof(jas_seqent_t *) can cause Integer overflow. Despite this library is used by many programs (http://www.ece.uvic.ca/~frodo/jasper/#overview), there is no one providing support.
Use CVE-2015-8751. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWjyCOAAoJEL54rhJi8gl5RR4P/3pDkCnol/Y59Nv9pK1kgVr0 Mas2O+hkbbbQRKBtgPs01mACYZDjEontPtUib+oA2F0hFcb/TisQHf611b3SoDI+ vxoSMA/qCXO66l7wpE7FmTOPYDCErpLtWEuYGC152BtEsaENE1vIwRYWx4Jshlem 5XT8LATuUxAC82TObRMr1A5gvDcdgNV9vqmyoDtyAGU725wA9VXWgFAG/CYBbLUC wzdqAQ3v1p0cDL63MWfg1vGIxkpY6P7dU8yfQUbBflstfKg5m+z6WmFZdmalJbeO uo3bknyP651xKge8PDN6ftfJbsW15fOFM4M1a3Ei+hqylgbqDF0GbfHn7XP3cMZy KN2a18Xpj09EWcmZAccaYR26Bc6KY5/9ss8akviQ/BkW2dhoDBdk5Rtt4Fj/w34e o//6kv40U8BXa5HAwizagP3Ifzgc8SDXi1RRJgx42bKECrs2YWDNIG5h/+6rNVaV +NV3wRvVc98akqsAz85h4M/OEYHEuhOTnN1TNolD6HqsLU3cQV/r36zXF9xzYOcw m8Oc+Yyb6sWaMSmNQhwvVuyhtc7qtIA8yKEpeRfzIjJf861nYp+N9cTUbjW3+elx zSOuxO6sWcJwQ91igQCILNe3CGPmUtQ1DIpdLPFNTUZ4EJyAuHQ6efqB3+U16kjb 6Suu6bvueINOqi+9q0Ff =1CNW -----END PGP SIGNATURE-----
Current thread:
- Fwd: Integer overflow in the JasPer's jas_matrix_create() function Solar Designer (Jan 07)
- Re: Integer overflow in the JasPer's jas_matrix_create() function cve-assign (Jan 07)
- Re: Re: Integer overflow in the JasPer's jas_matrix_create() function Stefan Cornelius (Jan 11)
- Re: Integer overflow in the JasPer's jas_matrix_create() function cve-assign (Jan 07)