-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Infinite loop in jpc_dec.c of Jasper. #146
Comments
|
Please use CVE-2017-14229 for this issue. |
|
FWIW, the attached reproducer does not trigger infinite loop in my testing. The executed Also note that the code listing above omits important part to indicate where/why the infinite loop is supposed to happen. It's currently unclear to me if there is set of input values that would cause the following condition to always be false, and hence trigger an infinite loop. |
|
Adding more details to clarify my previous comment a bit. There's this https://github.com/mdadams/jasper/blob/version-2.0.14/src/libjasper/jpc/jpc_dec.c#L891-L925 Relevant parts of it: The |
|
Please see jasper-maint/jasper#20 (comment) |
version:
Summary:
There is an infinite loop in jpc_dec.c of Jasper.
Description:
$./imginfo -f POC10
...
The gdb debugging information is listed below:
(gdb) set args POC10
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/real/jasper-2.0.12-asan/install/src/appl/imginfo -f fuzz/output/hangs/id:000000,src:001028,op:flip4,pos:180
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: trailing garbage in marker segment (8 bytes)
Breakpoint 2, jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
893 cblkcnt > 0;) {
(gdb) bt
#0 jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
#1 jpc_dec_process_sod (dec=, ms=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:594
#2 0x00007ffff7ad10e3 in jpc_dec_decode (dec=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:425
#3 jpc_decode (in=, optstr=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:262
#4 0x00007ffff7a5d24e in jas_image_decode (in=, fmt=, optstr=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/base/jas_image.c:444
#5 0x00000000004eaf7a in main (argc=, argv=)
at /home/icy/real/jasper-2.0.12-asan/src/appl/imginfo.c:238
(gdb) list
890 cblkxstart = cbgxstart;
891 cblkystart = cbgystart;
892 for (cblkcnt = prc->numcblks, cblk = prc->cblks;
893 cblkcnt > 0;) {
894 cblkxend = cblkxstart + (1 << rlvl->cblkwidthexpn);
895 cblkyend = cblkystart + (1 << rlvl->cblkheightexpn);
896 tmpxstart = JAS_MAX(cblkxstart, prc->xstart);
897 tmpystart = JAS_MAX(cblkystart, prc->ystart);
(gdb)
898 tmpxend = JAS_MIN(cblkxend, prc->xend);
899 tmpyend = JAS_MIN(cblkyend, prc->yend);
...
916 jas_seq2d_bindsub(cblk->data, band->data,
917 tmpxstart, tmpystart, tmpxend, tmpyend);
918 ++cblk;
919 --cblkcnt;
920 }
Trigged in:
jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
893 cblkcnt > 0;) {
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
POC10.zip
The text was updated successfully, but these errors were encountered: