-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-based buffer overflow in jas_image_chclrspc(jas_image.c) #147
Comments
|
This issue has been assigned CVE-2017-14132 |
|
Given the analysis above, it seems reasonable to patch this by having |
|
Thanks for the report, I do not understand what in your proof of concept makes "maxcmpts" less than zero. |
|
Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many). |
|
We merge dour changes from jasper-maint/jasper in this repo now. |
A heap overflow is found in jasper, and the tested commit is 806750f
According to the output by AddressSanitizer, I try to analyse with gdb.
by set breadpoint at jas_image_copy
as we can see, the
image->numcmpts_is 0, andimage->cmpts_is 0 too.in
jas_image_growcmpts, newcmpts is alloc according theimage->numcmpts_which is 0.finnaly alloced by pass 0 to malloc which will return a heap address. in the later access in
jas_image_ishomosampjas_image_cmpthstepdefined in src/libjasper/include/jasper/jas_image.h:383poc file:
crash-mif-ras-heap-over-read.zip
The text was updated successfully, but these errors were encountered: