memory leak detected #188
Comments
|
This issue has been assigned CVE-2018-19139 |
|
After applying my patches I cannot reproduce the memory leak with valgrind anymore. See |
|
Correction. This one is still reproducible. I forgot to disable ASAN again. |
|
Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello jasper team,
I have identified an issue affecting jasper by using AFL fuzz.
root@kali:~/jasper/outputFuzz/crashes# valgrind -v --tool=memcheck --leak-check=full jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp
==80146== Memcheck, a memory error detector
==80146== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==80146== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==80146== Command: jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp
==80146==
--80146-- Valgrind options:
--80146-- -v
--80146-- --tool=memcheck
--80146-- --leak-check=full
--80146-- Contents of /proc/version:
--80146-- Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0-25)) #1 SMP Debian 4.17.8-1kali1 (2018-07-24)
--80146--
--80146-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx-avx2-bmi
--80146-- Page sizes: currently 4096, max supported 4096
--80146-- Valgrind library directory: /usr/lib/valgrind
--80146-- Reading syms from /usr/local/bin/jasper
--80146-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.27.so
--80146-- Considering /usr/lib/debug/.build-id/dc/5cb16f5e644116cac64a4c3f5da4d081b81a4f.debug ..
--80146-- .. build-id is valid
--80146-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--80146-- Considering /usr/lib/valgrind/memcheck-amd64-linux ..
--80146-- .. CRC mismatch (computed 7680f3df wanted 92e0f93c)
--80146-- Considering /usr/lib/debug/usr/lib/valgrind/memcheck-amd64-linux ..
--80146-- .. CRC is valid
--80146-- object doesn't have a dynamic symbol table
--80146-- Scheduler: using generic scheduler lock implementation.
--80146-- Reading suppressions file: /usr/lib/valgrind/default.supp
==80146== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-80146-by-root-on-???
==80146== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-80146-by-root-on-???
==80146== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-80146-by-root-on-???
==80146==
==80146== TO CONTROL THIS PROCESS USING vgdb (which you probably
==80146== don't want to do, unless you know exactly what you're doing,
==80146== or are doing some strange experiment):
==80146== /usr/lib/valgrind/../../bin/vgdb --pid=80146 ...command...
==80146==
==80146== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==80146== /path/to/gdb jasper
==80146== and then give GDB the following command
==80146== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=80146
==80146== --pid is optional if only one valgrind process is running
==80146==
--80146-- REDIR: 0x401e290 (ld-linux-x86-64.so.2:strlen) redirected to 0x58061781 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--80146-- REDIR: 0x401e070 (ld-linux-x86-64.so.2:index) redirected to 0x5806179b (vgPlain_amd64_linux_REDIR_FOR_index)
--80146-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--80146-- Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--80146-- .. CRC mismatch (computed 66a2a561 wanted 3789c7eb)
--80146-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--80146-- .. CRC is valid
--80146-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--80146-- Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--80146-- .. CRC mismatch (computed 8487a070 wanted 8af30a91)
--80146-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--80146-- .. CRC is valid
==80146== WARNING: new redirection conflicts with existing -- ignoring it
--80146-- old: 0x0401e290 (strlen ) R-> (0000.0) 0x58061781 vgPlain_amd64_linux_REDIR_FOR_strlen
--80146-- new: 0x0401e290 (strlen ) R-> (2007.0) 0x04838a60 strlen
--80146-- REDIR: 0x401aab0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4839b90 (strcmp)
--80146-- REDIR: 0x401e7d0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x483d1a0 (mempcpy)
--80146-- Reading syms from /usr/local/lib/libjasper.so.4.0.0
--80146-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.27.so
--80146-- Considering /usr/lib/debug/.build-id/fa/b2857727406caccd7ab22e1729b09ccf2c3eb7.debug ..
--80146-- .. build-id is valid
--80146-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.27.so
--80146-- Considering /usr/lib/debug/.build-id/dc/87cd1e2b171a4c51139cb4e1f2ec630e711de3.debug ..
--80146-- .. build-id is valid
--80146-- REDIR: 0x4c2d050 (libc.so.6:memmove) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c280 (libc.so.6:strncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d330 (libc.so.6:strcasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bcd0 (libc.so.6:strcat) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c2b0 (libc.so.6:rindex) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2e900 (libc.so.6:rawmemchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d1c0 (libc.so.6:mempcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2cff0 (libc.so.6:bcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c240 (libc.so.6:strncmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bd40 (libc.so.6:strcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d120 (libc.so.6:memset) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c46b60 (libc.so.6:wcschr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c1e0 (libc.so.6:strnlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bdb0 (libc.so.6:strcspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d380 (libc.so.6:strncasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bd80 (libc.so.6:strcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d4c0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c2e0 (libc.so.6:strpbrk) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bd00 (libc.so.6:index) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c1b0 (libc.so.6:strlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c331b0 (libc.so.6:memrchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d3d0 (libc.so.6:strcasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2cfc0 (libc.so.6:memchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c47920 (libc.so.6:wcslen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c590 (libc.so.6:strspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d300 (libc.so.6:stpncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d2d0 (libc.so.6:stpcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2e930 (libc.so.6:strchrnul) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d420 (libc.so.6:strncasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4cff700 (libc.so.6:__strrchr_avx2) redirected to 0x48383e0 (rindex)
--80146-- REDIR: 0x4cff8d0 (libc.so.6:__strlen_avx2) redirected to 0x48389a0 (strlen)
--80146-- REDIR: 0x4c285c0 (libc.so.6:malloc) redirected to 0x4835750 (malloc)
--80146-- REDIR: 0x4cecc90 (libc.so.6:__strcpy_ssse3) redirected to 0x4838a80 (strcpy)
--80146-- REDIR: 0x4cdb0a0 (libc.so.6:__strcmp_ssse3) redirected to 0x4839a50 (strcmp)
--80146-- REDIR: 0x4c28c50 (libc.so.6:free) redirected to 0x4836980 (free)
--80146-- REDIR: 0x4cffe10 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483c390 (memmove)
--80146-- REDIR: 0x4cff510 (libc.so.6:__strchrnul_avx2) redirected to 0x483ccd0 (strchrnul)
--80146-- REDIR: 0x4cffdf0 (libc.so.6:__mempcpy_avx_unaligned_erms) redirected to 0x483cde0 (mempcpy)
warning: trailing garbage in marker segment (15 bytes)
warning: trailing garbage in marker segment (35 bytes)
warning: ignoring unknown marker segment (0xff78)
type = 0xff78 (UNKNOWN); len = 38;32 00 04 32 32 32 16 46 25 25 25 25 3c 25 25 12 00 02 25 ff ff ff ff ff ff ff 39 38 38 20 ff ff ff 25 25 80 warning: trailing garbage in marker segment (53 bytes)
warning: trailing garbage in marker segment (6 bytes)
--80146-- REDIR: 0x4d00290 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x483c280 (memset)
==80146==
==80146== Process terminating with default action of signal 6 (SIGABRT)
==80146== at 0x4BDAF3B: raise (raise.c:51)
==80146== by 0x4BDC2F0: abort (abort.c:79)
==80146== by 0x484FA18: jpc_dec_process_sot.cold.16 (jpc_dec.c:488)
==80146== by 0x490E3E0: jpc_dec_decode (jpc_dec.c:424)
==80146== by 0x490E3E0: jpc_decode (jpc_dec.c:261)
==80146== by 0x48AA033: jas_image_decode (jas_image.c:442)
==80146== by 0x10A7E3: main (jasper.c:236)
==80146==
==80146== HEAP SUMMARY:
==80146== in use at exit: 38,186 bytes in 62 blocks
==80146== total heap usage: 151 allocs, 89 frees, 182,091 bytes allocated
==80146==
==80146== Searching for pointers to 62 not-freed blocks
==80146== Checked 125,920 bytes
==80146==
==80146== 14 bytes in 1 blocks are definitely lost in loss record 24 of 58
==80146== at 0x48357BF: malloc (vg_replace_malloc.c:299)
==80146== by 0x48B8177: jas_malloc (jas_malloc.c:241)
==80146== by 0x48F7938: jpc_unk_getparms (jpc_cs.c:1554)
==80146== by 0x48FA9FA: jpc_getms (jpc_cs.c:280)
==80146== by 0x490E1AB: jpc_dec_decode (jpc_dec.c:406)
==80146== by 0x490E1AB: jpc_decode (jpc_dec.c:261)
==80146== by 0x48AA033: jas_image_decode (jas_image.c:442)
==80146== by 0x10A7E3: main (jasper.c:236)
==80146==
==80146== LEAK SUMMARY:
==80146== definitely lost: 14 bytes in 1 blocks
==80146== indirectly lost: 0 bytes in 0 blocks
==80146== possibly lost: 0 bytes in 0 blocks
==80146== still reachable: 38,172 bytes in 61 blocks
==80146== suppressed: 0 bytes in 0 blocks
==80146== Reachable blocks (those to which a pointer was found) are not shown.
==80146== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==80146==
==80146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==80146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Aborted
root@kali:~/jasper/outputFuzz/crashes# jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp
warning: trailing garbage in marker segment (15 bytes)
warning: trailing garbage in marker segment (35 bytes)
warning: ignoring unknown marker segment (0xff78)
type = 0xff78 (UNKNOWN); len = 38;32 00 04 32 32 32 16 46 25 25 25 25 3c 25 25 12 00 02 25 ff ff ff ff ff ff ff 39 38 38 20 ff ff ff 25 25 80 warning: trailing garbage in marker segment (53 bytes)
warning: trailing garbage in marker segment (6 bytes)
Aborted
Attached the POC
poc.zip
Version
jasper-2.0.14
Found by:TAN JIE
The text was updated successfully, but these errors were encountered: