heap-based buffer overflow in jp2_decode (jp2_dec.c) #140

xiaoqx · 2017-06-14T04:00:33Z

A heap overflow is found in jasper, and the tested commit is 1cce277.

# jasper --input $FILE --output /tmp/1.ppm --output-format pnm
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ee18 at pc 0x7f962fff7417 bp 0x7ffc795e5c40 sp 0x7ffc795e5c38
READ of size 8 at 0x60300000ee18 thread T0
    #0 0x7f962fff7416 in jp2_decode /data/xqx/tests/libjasper-test/jasper/src/libjasper/jp2/jp2_dec.c:405
    #1 0x7f962ff96880 in jas_image_decode /data/xqx/tests/libjasper-test/jasper/src/libjasper/base/jas_image.c:442
    #2 0x4020fb in main /data/xqx/tests/libjasper-test/jasper/src/appl/jasper.c:236
    #3 0x7f962fb63f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #4 0x4035ec (/data/xqx/tests/libjasper-test/aflbuild/install/bin/jasper+0x4035ec)

0x60300000ee18 is located 0 bytes to the right of 24-byte region [0x60300000ee00,0x60300000ee18)
allocated by thread T0 here:
    #0 0x7f96303a9862 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54862)
    #1 0x7f962ffa55d2 in jas_malloc /data/xqx/tests/libjasper-test/jasper/src/libjasper/base/jas_malloc.c:241

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/xqx/tests/libjasper-test/jasper/src/libjasper/jp2/jp2_dec.c:405 jp2_decode
Shadow bytes around the buggy address:
  0x0c067fff9d70: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9d80: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff9d90: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff9da0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9db0: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
=>0x0c067fff9dc0: 00 00 00[fa]fa fa 00 00 00 00 fa fa 00 00 00 00
  0x0c067fff9dd0: fa fa 00 00 00 02 fa fa 00 00 07 fa fa fa 00 00
  0x0c067fff9de0: 05 fa fa fa 00 00 07 fa fa fa 00 00 00 06 fa fa
  0x0c067fff9df0: 00 00 00 06 fa fa 00 00 00 06 fa fa 00 00 06 fa
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe

Testcase:
https://github.com/xiaoqx/pocs/blob/master/026-jasper-jps_decode-heapoverflow

The text was updated successfully, but these errors were encountered:

xiaoqx · 2017-06-26T03:32:35Z

CVE:
http://www.openwall.com/lists/oss-security/2017/06/20/4
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9782

thoger · 2017-07-04T13:11:46Z

The immediate problem is the for (i = 0; i < dec->numchans; ++i) loop in jp2_decode():

https://github.com/mdadams/jasper/blob/version-2.0.13/src/libjasper/jp2/jp2_dec.c#L403

The counter i is used to index dec->cdef->data.cdef.ents[] array and that access goes out of bounds. The cdef.ents[] is allocated in jp2_cdef_getdata() to the size of cdef->numchans:

https://github.com/mdadams/jasper/blob/version-2.0.13/src/libjasper/jp2/jp2_cod.c#L479

So a simplistic fix would be to ensure that dec->cdef->data.cdef.numchans >= dec->numchans (or maybe even ==?) before the loop and error out if dec->cdef->data.cdef.numchans is less than dec->numchans. There might be a better way to handle this error.

thoger · 2017-07-04T13:14:18Z

Also note that there's similar code few lines above for cmap:

https://github.com/mdadams/jasper/blob/version-2.0.13/src/libjasper/jp2/jp2_dec.c#L334

However, that's not an issue as dec->numchans is guaranteed to be dec->cmap->data.cmap.numchans at that point:

https://github.com/mdadams/jasper/blob/version-2.0.13/src/libjasper/jp2/jp2_dec.c#L329-L330

MaxKellermann · 2020-06-28T12:01:39Z

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many).
This bug will be fixed by jasper-maint/jasper#38 (merge pending)

jubalh mentioned this issue Jun 15, 2020

CVE-2017-9782 jasper-maint/jasper#18

Closed

jubalh closed this as completed in 839b1bc Jul 28, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

heap-based buffer overflow in jp2_decode (jp2_dec.c) #140

heap-based buffer overflow in jp2_decode (jp2_dec.c) #140

xiaoqx commented Jun 14, 2017

xiaoqx commented Jun 26, 2017

thoger commented Jul 4, 2017

thoger commented Jul 4, 2017

MaxKellermann commented Jun 28, 2020

heap-based buffer overflow in jp2_decode (jp2_dec.c) #140

heap-based buffer overflow in jp2_decode (jp2_dec.c) #140

Comments

xiaoqx commented Jun 14, 2017

xiaoqx commented Jun 26, 2017

thoger commented Jul 4, 2017

thoger commented Jul 4, 2017

MaxKellermann commented Jun 28, 2020