Description
version:
Summary:
There is an infinite loop in jpc_dec.c of Jasper.
Description:
$./imginfo -f POC10
...
The gdb debugging information is listed below:
(gdb) set args POC10
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/real/jasper-2.0.12-asan/install/src/appl/imginfo -f fuzz/output/hangs/id:000000,src:001028,op:flip4,pos:180
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: trailing garbage in marker segment (8 bytes)
Breakpoint 2, jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
893 cblkcnt > 0;) {
(gdb) bt
#0 jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
#1 jpc_dec_process_sod (dec=, ms=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:594
#2 0x00007ffff7ad10e3 in jpc_dec_decode (dec=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:425
#3 jpc_decode (in=, optstr=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:262
#4 0x00007ffff7a5d24e in jas_image_decode (in=, fmt=, optstr=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/base/jas_image.c:444
#5 0x00000000004eaf7a in main (argc=, argv=)
at /home/icy/real/jasper-2.0.12-asan/src/appl/imginfo.c:238
(gdb) list
890 cblkxstart = cbgxstart;
891 cblkystart = cbgystart;
892 for (cblkcnt = prc->numcblks, cblk = prc->cblks;
893 cblkcnt > 0;) {
894 cblkxend = cblkxstart + (1 << rlvl->cblkwidthexpn);
895 cblkyend = cblkystart + (1 << rlvl->cblkheightexpn);
896 tmpxstart = JAS_MAX(cblkxstart, prc->xstart);
897 tmpystart = JAS_MAX(cblkystart, prc->ystart);
(gdb)
898 tmpxend = JAS_MIN(cblkxend, prc->xend);
899 tmpyend = JAS_MIN(cblkyend, prc->yend);
...
916 jas_seq2d_bindsub(cblk->data, band->data,
917 tmpxstart, tmpystart, tmpxend, tmpyend);
918 ++cblk;
919 --cblkcnt;
920 }
Trigged in:
jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
893 cblkcnt > 0;) {
Credits:
This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
POC10.zip