oss-sec mailing list archives
CVE-request: heap-buffer-overflow in jasper
From: xiaoqixue_1 <xiaoqixue_1 () 163 com>
Date: Tue, 20 Jun 2017 14:31:03 +0800 (CST)
Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. A crafted image causes a read overflow in the latest version 2.0.12. And this issue also exsits in the latest commit of github repo. (https://github.com/mdadams/jasper) The complete ASan output: # ./install/bin/jasper -f $FILE -F /tmp/1.pnm -T pnm ================================================================= ==1220==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee18 at pc 0x7fe8a1e0211b bp 0x7fffb4a6cb20 sp 0x7fffb4a6cb18 READ of size 8 at 0x60300000ee18 thread T0 #0 0x7fe8a1e0211a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405 #1 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444 #2 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236 #3 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #4 0x401958 (/data/xqx/tests/libjasper-test/codes/abuild/install/bin/jasper+0x401958) 0x60300000ee18 is located 0 bytes to the right of 24-byte region [0x60300000ee00,0x60300000ee18) allocated by thread T0 here: #0 0x7fe8a2125862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862) #1 0x7fe8a1de5ec3 in jas_malloc /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:242 #2 0x7fe8a1de6072 in jas_alloc2 /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_malloc.c:275 #3 0x7fe8a1dfb896 in jp2_cdef_getdata /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:468 #4 0x7fe8a1dfaa46 in jp2_box_get /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_cod.c:303 #5 0x7fe8a1e0015a in jp2_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:159 #6 0x7fe8a1ddc192 in jas_image_decode /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/base/jas_image.c:444 #7 0x40217a in main /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/appl/jasper.c:236 #8 0x7fe8a1a00f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) SUMMARY: AddressSanitizer: heap-buffer-overflow /data/xqx/tests/libjasper-test/codes/jasper-2.0.12/src/libjasper/jp2/jp2_dec.c:405 jp2_decode Shadow bytes around the buggy address: 0x0c067fff9d70: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fff9d80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 0x0c067fff9d90: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 0x0c067fff9da0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fff9db0: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa =>0x0c067fff9dc0: 00 00 00[fa]fa fa 00 00 00 00 fa fa 00 00 00 00 0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 07 fa fa fa 00 00 0x0c067fff9de0: 05 fa fa fa 00 00 07 fa fa fa 00 00 00 06 fa fa 0x0c067fff9df0: 00 00 00 06 fa fa 00 00 00 06 fa fa 00 00 06 fa 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==1220==ABORTING Affected version: the Latest version 2.0.12, and also in the latest commit 1cce277. Fixed version: N/A Commit fix: N/A Credit: the bug is found by Qixue Xiao and Kang Li. CVE: N/A Reproducer: https://github.com/xiaoqx/pocs/blob/master/026-jasper-jps_decode-heapoverflow Timeline: 2017-06-14: bug discovered and reported upstream Note: This bug was found with American Fuzzy Lop. -- xiaoqixue_1 () 163 com
Current thread:
- CVE-request: heap-buffer-overflow in jasper xiaoqixue_1 (Jun 20)
- Re: CVE-request: heap-buffer-overflow in jasper Emilio Pozuelo Monfort (Jun 21)
- Re:Re: [oss-security] CVE-request: heap-buffer-overflow in jasper xiaoqixue_1 (Jun 21)
- <Possible follow-ups>
- CVE-request: heap-buffer-overflow in jasper xiaoqixue_1 (Jun 20)
- Re: CVE-request: heap-buffer-overflow in jasper Emilio Pozuelo Monfort (Jun 21)