-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
memory leak detected #188
Comments
This issue has been assigned CVE-2018-19139 |
After applying my patches I cannot reproduce the memory leak with valgrind anymore. See |
Correction. This one is still reproducible. I forgot to disable ASAN again. |
Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). |
Hello jasper team,
I have identified an issue affecting jasper by using AFL fuzz.
root@kali:~/jasper/outputFuzz/crashes# valgrind -v --tool=memcheck --leak-check=full jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp
==80146== Memcheck, a memory error detector
==80146== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==80146== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==80146== Command: jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp
==80146==
--80146-- Valgrind options:
--80146-- -v
--80146-- --tool=memcheck
--80146-- --leak-check=full
--80146-- Contents of /proc/version:
--80146-- Linux version 4.17.0-kali1-amd64 (devel@kali.org) (gcc version 7.3.0 (Debian 7.3.0-25)) #1 SMP Debian 4.17.8-1kali1 (2018-07-24)
--80146--
--80146-- Arch and hwcaps: AMD64, LittleEndian, amd64-cx16-lzcnt-rdtscp-sse3-avx-avx2-bmi
--80146-- Page sizes: currently 4096, max supported 4096
--80146-- Valgrind library directory: /usr/lib/valgrind
--80146-- Reading syms from /usr/local/bin/jasper
--80146-- Reading syms from /usr/lib/x86_64-linux-gnu/ld-2.27.so
--80146-- Considering /usr/lib/debug/.build-id/dc/5cb16f5e644116cac64a4c3f5da4d081b81a4f.debug ..
--80146-- .. build-id is valid
--80146-- Reading syms from /usr/lib/valgrind/memcheck-amd64-linux
--80146-- Considering /usr/lib/valgrind/memcheck-amd64-linux ..
--80146-- .. CRC mismatch (computed 7680f3df wanted 92e0f93c)
--80146-- Considering /usr/lib/debug/usr/lib/valgrind/memcheck-amd64-linux ..
--80146-- .. CRC is valid
--80146-- object doesn't have a dynamic symbol table
--80146-- Scheduler: using generic scheduler lock implementation.
--80146-- Reading suppressions file: /usr/lib/valgrind/default.supp
==80146== embedded gdbserver: reading from /tmp/vgdb-pipe-from-vgdb-to-80146-by-root-on-???
==80146== embedded gdbserver: writing to /tmp/vgdb-pipe-to-vgdb-from-80146-by-root-on-???
==80146== embedded gdbserver: shared mem /tmp/vgdb-pipe-shared-mem-vgdb-80146-by-root-on-???
==80146==
==80146== TO CONTROL THIS PROCESS USING vgdb (which you probably
==80146== don't want to do, unless you know exactly what you're doing,
==80146== or are doing some strange experiment):
==80146== /usr/lib/valgrind/../../bin/vgdb --pid=80146 ...command...
==80146==
==80146== TO DEBUG THIS PROCESS USING GDB: start GDB like this
==80146== /path/to/gdb jasper
==80146== and then give GDB the following command
==80146== target remote | /usr/lib/valgrind/../../bin/vgdb --pid=80146
==80146== --pid is optional if only one valgrind process is running
==80146==
--80146-- REDIR: 0x401e290 (ld-linux-x86-64.so.2:strlen) redirected to 0x58061781 (vgPlain_amd64_linux_REDIR_FOR_strlen)
--80146-- REDIR: 0x401e070 (ld-linux-x86-64.so.2:index) redirected to 0x5806179b (vgPlain_amd64_linux_REDIR_FOR_index)
--80146-- Reading syms from /usr/lib/valgrind/vgpreload_core-amd64-linux.so
--80146-- Considering /usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--80146-- .. CRC mismatch (computed 66a2a561 wanted 3789c7eb)
--80146-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so ..
--80146-- .. CRC is valid
--80146-- Reading syms from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
--80146-- Considering /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--80146-- .. CRC mismatch (computed 8487a070 wanted 8af30a91)
--80146-- Considering /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so ..
--80146-- .. CRC is valid
==80146== WARNING: new redirection conflicts with existing -- ignoring it
--80146-- old: 0x0401e290 (strlen ) R-> (0000.0) 0x58061781 vgPlain_amd64_linux_REDIR_FOR_strlen
--80146-- new: 0x0401e290 (strlen ) R-> (2007.0) 0x04838a60 strlen
--80146-- REDIR: 0x401aab0 (ld-linux-x86-64.so.2:strcmp) redirected to 0x4839b90 (strcmp)
--80146-- REDIR: 0x401e7d0 (ld-linux-x86-64.so.2:mempcpy) redirected to 0x483d1a0 (mempcpy)
--80146-- Reading syms from /usr/local/lib/libjasper.so.4.0.0
--80146-- Reading syms from /usr/lib/x86_64-linux-gnu/libm-2.27.so
--80146-- Considering /usr/lib/debug/.build-id/fa/b2857727406caccd7ab22e1729b09ccf2c3eb7.debug ..
--80146-- .. build-id is valid
--80146-- Reading syms from /usr/lib/x86_64-linux-gnu/libc-2.27.so
--80146-- Considering /usr/lib/debug/.build-id/dc/87cd1e2b171a4c51139cb4e1f2ec630e711de3.debug ..
--80146-- .. build-id is valid
--80146-- REDIR: 0x4c2d050 (libc.so.6:memmove) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c280 (libc.so.6:strncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d330 (libc.so.6:strcasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bcd0 (libc.so.6:strcat) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c2b0 (libc.so.6:rindex) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2e900 (libc.so.6:rawmemchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d1c0 (libc.so.6:mempcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2cff0 (libc.so.6:bcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c240 (libc.so.6:strncmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bd40 (libc.so.6:strcmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d120 (libc.so.6:memset) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c46b60 (libc.so.6:wcschr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c1e0 (libc.so.6:strnlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bdb0 (libc.so.6:strcspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d380 (libc.so.6:strncasecmp) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bd80 (libc.so.6:strcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d4c0 (libc.so.6:memcpy@@GLIBC_2.14) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c2e0 (libc.so.6:strpbrk) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2bd00 (libc.so.6:index) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c1b0 (libc.so.6:strlen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c331b0 (libc.so.6:memrchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d3d0 (libc.so.6:strcasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2cfc0 (libc.so.6:memchr) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c47920 (libc.so.6:wcslen) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2c590 (libc.so.6:strspn) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d300 (libc.so.6:stpncpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d2d0 (libc.so.6:stpcpy) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2e930 (libc.so.6:strchrnul) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4c2d420 (libc.so.6:strncasecmp_l) redirected to 0x482b1c0 (_vgnU_ifunc_wrapper)
--80146-- REDIR: 0x4cff700 (libc.so.6:__strrchr_avx2) redirected to 0x48383e0 (rindex)
--80146-- REDIR: 0x4cff8d0 (libc.so.6:__strlen_avx2) redirected to 0x48389a0 (strlen)
--80146-- REDIR: 0x4c285c0 (libc.so.6:malloc) redirected to 0x4835750 (malloc)
--80146-- REDIR: 0x4cecc90 (libc.so.6:__strcpy_ssse3) redirected to 0x4838a80 (strcpy)
--80146-- REDIR: 0x4cdb0a0 (libc.so.6:__strcmp_ssse3) redirected to 0x4839a50 (strcmp)
--80146-- REDIR: 0x4c28c50 (libc.so.6:free) redirected to 0x4836980 (free)
--80146-- REDIR: 0x4cffe10 (libc.so.6:__memcpy_avx_unaligned_erms) redirected to 0x483c390 (memmove)
--80146-- REDIR: 0x4cff510 (libc.so.6:__strchrnul_avx2) redirected to 0x483ccd0 (strchrnul)
--80146-- REDIR: 0x4cffdf0 (libc.so.6:__mempcpy_avx_unaligned_erms) redirected to 0x483cde0 (mempcpy)
warning: trailing garbage in marker segment (15 bytes)
warning: trailing garbage in marker segment (35 bytes)
warning: ignoring unknown marker segment (0xff78)
type = 0xff78 (UNKNOWN); len = 38;32 00 04 32 32 32 16 46 25 25 25 25 3c 25 25 12 00 02 25 ff ff ff ff ff ff ff 39 38 38 20 ff ff ff 25 25 80 warning: trailing garbage in marker segment (53 bytes)
warning: trailing garbage in marker segment (6 bytes)
--80146-- REDIR: 0x4d00290 (libc.so.6:__memset_avx2_unaligned_erms) redirected to 0x483c280 (memset)
==80146==
==80146== Process terminating with default action of signal 6 (SIGABRT)
==80146== at 0x4BDAF3B: raise (raise.c:51)
==80146== by 0x4BDC2F0: abort (abort.c:79)
==80146== by 0x484FA18: jpc_dec_process_sot.cold.16 (jpc_dec.c:488)
==80146== by 0x490E3E0: jpc_dec_decode (jpc_dec.c:424)
==80146== by 0x490E3E0: jpc_decode (jpc_dec.c:261)
==80146== by 0x48AA033: jas_image_decode (jas_image.c:442)
==80146== by 0x10A7E3: main (jasper.c:236)
==80146==
==80146== HEAP SUMMARY:
==80146== in use at exit: 38,186 bytes in 62 blocks
==80146== total heap usage: 151 allocs, 89 frees, 182,091 bytes allocated
==80146==
==80146== Searching for pointers to 62 not-freed blocks
==80146== Checked 125,920 bytes
==80146==
==80146== 14 bytes in 1 blocks are definitely lost in loss record 24 of 58
==80146== at 0x48357BF: malloc (vg_replace_malloc.c:299)
==80146== by 0x48B8177: jas_malloc (jas_malloc.c:241)
==80146== by 0x48F7938: jpc_unk_getparms (jpc_cs.c:1554)
==80146== by 0x48FA9FA: jpc_getms (jpc_cs.c:280)
==80146== by 0x490E1AB: jpc_dec_decode (jpc_dec.c:406)
==80146== by 0x490E1AB: jpc_decode (jpc_dec.c:261)
==80146== by 0x48AA033: jas_image_decode (jas_image.c:442)
==80146== by 0x10A7E3: main (jasper.c:236)
==80146==
==80146== LEAK SUMMARY:
==80146== definitely lost: 14 bytes in 1 blocks
==80146== indirectly lost: 0 bytes in 0 blocks
==80146== possibly lost: 0 bytes in 0 blocks
==80146== still reachable: 38,172 bytes in 61 blocks
==80146== suppressed: 0 bytes in 0 blocks
==80146== Reachable blocks (those to which a pointer was found) are not shown.
==80146== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==80146==
==80146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
==80146== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Aborted
root@kali:~/jasper/outputFuzz/crashes# jasper --input id:000014,sig:06,src:001393,op:havoc,rep:16 --output test.bmp --output-format bmp
warning: trailing garbage in marker segment (15 bytes)
warning: trailing garbage in marker segment (35 bytes)
warning: ignoring unknown marker segment (0xff78)
type = 0xff78 (UNKNOWN); len = 38;32 00 04 32 32 32 16 46 25 25 25 25 3c 25 25 12 00 02 25 ff ff ff ff ff ff ff 39 38 38 20 ff ff ff 25 25 80 warning: trailing garbage in marker segment (53 bytes)
warning: trailing garbage in marker segment (6 bytes)
Aborted
Attached the POC
poc.zip
Version
jasper-2.0.14
Found by:TAN JIE
The text was updated successfully, but these errors were encountered: