[Bug 1021868] New: VUL-0: jasper: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c)
![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1021868 Bug ID: 1021868 Summary: VUL-0: jasper: NULL pointer dereference in jp2_cdef_destroy (jp2_cod.c) Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 711551 --> http://bugzilla.opensuse.org/attachment.cgi?id=711551&action=edit Reproducer Ref: http://seclists.org/oss-sec/2017/q1/191 ================================================ Description: jasper is an open-source initiative to provide a free software-based reference implementation of the codec specified in the JPEG-2000 Part-1 standard. Another round of fuzzing shows that a crafted image causes a NULL pointer access. The complete ASan output: # imginfo -f $FILE cannot parse box data ASAN:DEADLYSIGNAL ================================================================= ==6697==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000041da35 bp 0xbebebebebebebeae sp 0x7fff60ad6480 T0) #0 0x41da34 in atomic_compare_exchange_strong /tmp/portage/sys- devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler- rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 #1 0x41da34 in __asan::Allocator::AtomicallySetQuarantineFlagIfAllocated(__asan::AsanChunk*, void*, __sanitizer::BufferedStackTrace*) /tmp/portage/sys- devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler- rt/lib/asan/asan_allocator.cc:468 #2 0x41da34 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys- devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler- rt/lib/asan/asan_allocator.cc:522 #3 0x41da34 in __asan::asan_free(void*, __sanitizer::BufferedStackTrace*, __asan::AllocType) /tmp/portage/sys- devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler- rt/lib/asan/asan_allocator.cc:725 #4 0x4d271c in free /tmp/portage/sys- devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler- rt/lib/asan/asan_malloc_linux.cc:50 #5 0x7f86ef11c995 in jp2_cdef_destroy /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:230:3 #6 0x7f86ef11e18e in jp2_box_destroy /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:212:3 #7 0x7f86ef11e18e in jp2_box_get /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_cod.c:319 #8 0x7f86ef1219f6 in jp2_decode /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/jp2/jp2_dec.c:159:16 #9 0x7f86ef0e4214 in jas_image_decode /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/libjasper/base/jas_image.c:444:16 #10 0x50a3be in main /tmp/portage/media- libs/jasper-2.0.10/work/jasper-2.0.10/src/appl/imginfo.c:238:16 #11 0x7f86ee1c478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23- r3/work/glibc-2.23/csu/../csu/libc-start.c:289 #12 0x419cd8 in _start (/usr/bin/imginfo+0x419cd8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys- devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler- rt/lib/asan/../sanitizer_common/sanitizer_atomic_clang.h:81 in atomic_compare_exchange_strong ==6697==ABORTING Affected version: 2.0.10 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00124-jasper-nullptr-jp2_cdef_de... Timeline: 2017-01-18: bug discovered and reported upstream 2017-01-25: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/25/jasper-null-pointer-dereference-in-j... -- Agostino Sarubbo Gentoo Linux Developer
From http://seclists.org/oss-sec/2017/q1/194 : "This should be https://github.com/mdadams/jasper/issues/112 " ================================================
Tested on jasper-1.900.14-170.1.x86_64 (https://software.opensuse.org/package/jasper), which is in openSUSE official repo: ================================================= k_mikhail@linux-mk500:~> imginfo -f 00124-jasper-nullptr-jp2_cdef_destroy cannot parse box data Ошибка сегментирования (core dumped) k_mikhail@linux-mk500:~> imginfo --version 1.900.14 ================================================= -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com