Skip to content

Infinite loop in jpc_dec.c of Jasper. #146

Closed
@owl337

Description

@owl337

version:

Summary:

There is an infinite loop in jpc_dec.c of Jasper.

Description:
$./imginfo -f POC10
...

The gdb debugging information is listed below:
(gdb) set args POC10
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/icy/real/jasper-2.0.12-asan/install/src/appl/imginfo -f fuzz/output/hangs/id:000000,src:001028,op:flip4,pos:180
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: trailing garbage in marker segment (8 bytes)

Breakpoint 2, jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
893 cblkcnt > 0;) {
(gdb) bt
#0 jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
#1 jpc_dec_process_sod (dec=, ms=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:594
#2 0x00007ffff7ad10e3 in jpc_dec_decode (dec=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:425
#3 jpc_decode (in=, optstr=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:262
#4 0x00007ffff7a5d24e in jas_image_decode (in=, fmt=, optstr=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/base/jas_image.c:444
#5 0x00000000004eaf7a in main (argc=, argv=)
at /home/icy/real/jasper-2.0.12-asan/src/appl/imginfo.c:238

(gdb) list
890 cblkxstart = cbgxstart;
891 cblkystart = cbgystart;
892 for (cblkcnt = prc->numcblks, cblk = prc->cblks;
893 cblkcnt > 0;) {
894 cblkxend = cblkxstart + (1 << rlvl->cblkwidthexpn);
895 cblkyend = cblkystart + (1 << rlvl->cblkheightexpn);
896 tmpxstart = JAS_MAX(cblkxstart, prc->xstart);
897 tmpystart = JAS_MAX(cblkystart, prc->ystart);
(gdb)
898 tmpxend = JAS_MIN(cblkxend, prc->xend);
899 tmpyend = JAS_MIN(cblkyend, prc->yend);
...
916 jas_seq2d_bindsub(cblk->data, band->data,
917 tmpxstart, tmpystart, tmpxend, tmpyend);
918 ++cblk;
919 --cblkcnt;
920 }

Trigged in:
jpc_dec_tileinit (dec=0x611000009f00, tile=)
at /home/icy/real/jasper-2.0.12-asan/src/libjasper/jpc/jpc_dec.c:893
893 cblkcnt > 0;) {

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
POC10.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions