Closed
Description
A heap overflow is found in jasper, and the tested commit is 806750f
#jasper # -f crash-mif-ras-heap-over-read -t mif -T ras -F 1 -S
out-of-bounds read in src/libjasper/base/jas_image.c:1259
==42283==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000003f0 at pc 0x0000005522aa bp 0x7fffffffd680 sp 0x7fffffffd678
READ of size 8 at 0x6020000003f0 thread T0
#0 0x5522a9 in jas_image_ishomosamp /jasper/src/libjasper/base/jas_image.c:1259:10
#1 0x552883 in jas_image_chclrspc /jasper/src/libjasper/base/jas_image.c:1452:7
#2 0x514f1a in main /jasper/src/appl/jasper.c:266:20
#3 0x7ffff6c96f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
#4 0x41fd2b in _start (/jasper/tmp/src/appl/jasper+0x41fd2b)
0x6020000003f1 is located 0 bytes to the right of 1-byte region [0x6020000003f0,0x6020000003f1)
allocated by thread T0 here:
#0 0x4ddfc8 in malloc (/jasper/tmp/src/appl/jasper+0x4ddfc8)
#1 0x556bb7 in jas_malloc /jasper/src/libjasper/base/jas_malloc.c:241:11
#2 0x556f8b in jas_alloc2 /jasper/src/libjasper/base/jas_malloc.c:274:9
#3 0x542b8e in jas_image_growcmpts /jasper/src/libjasper/base/jas_image.c:889:32
#4 0x5426e4 in jas_image_copy /jasper/src/libjasper/base/jas_image.c:237:6
#5 0x552840 in jas_image_chclrspc /jasper/src/libjasper/base/jas_image.c:1448:18
#6 0x514f1a in main /jasper/src/appl/jasper.c:266:20
#7 0x7ffff6c96f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
SUMMARY: AddressSanitizer: heap-buffer-overflow /jasper/src/libjasper/base/jas_image.c:1259:10 in jas_image_ishomosamp
Shadow bytes around the buggy address:
0x0c047fff8020: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8030: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8040: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
0x0c047fff8050: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 01 fa
0x0c047fff8060: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa fd fd
=>0x0c047fff8070: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa[01]fa
0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
According to the output by AddressSanitizer, I try to analyse with gdb.
by set breadpoint at jas_image_copy
Breakpoint 1, jas_image_copy (image=0x0) at jasper/src/libjasper/base/jas_image.c:229
229 {
(gdb) n
233 if (!(newimage = jas_image_create0())) {
(gdb) n
237 if (jas_image_growcmpts(newimage, image->numcmpts_)) {
(gdb) p *image
$5 = {tlx_ = 0, tly_ = 0, brx_ = 0, bry_ = 0, numcmpts_ = 0, maxcmpts_ = 0, cmpts_ = 0x0, clrspc_ = 16384, cmprof_ = 0x0}
as we can see, the image->numcmpts_ is 0, and image->cmpts_ is 0 too.
in jas_image_growcmpts, newcmpts is alloc according the image->numcmpts_ which is 0.
finnaly alloced by pass 0 to malloc which will return a heap address. in the later access in jas_image_ishomosamp
int jas_image_ishomosamp(jas_image_t *image)
{
......
hstep = jas_image_cmpthstep(image, 0);
jas_image_cmpthstep defined in src/libjasper/include/jasper/jas_image.h:383
/* Get the horizontal subsampling factor for a component. */
#define jas_image_cmpthstep(image, cmptno) \
((image)->cmpts_[cmptno]->hstep_) //here will cause the heap over read
poc file:
crash-mif-ras-heap-over-read.zip
Metadata
Metadata
Assignees
Labels
No labels