Skip to content

heap-based buffer overflow in jas_image_chclrspc(jas_image.c) #147

Closed
@Twi1ight

Description

@Twi1ight

A heap overflow is found in jasper, and the tested commit is 806750f

#jasper # -f crash-mif-ras-heap-over-read -t mif -T ras -F 1 -S
out-of-bounds read in src/libjasper/base/jas_image.c:1259
==42283==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000003f0 at pc 0x0000005522aa bp 0x7fffffffd680 sp 0x7fffffffd678
READ of size 8 at 0x6020000003f0 thread T0
    #0 0x5522a9 in jas_image_ishomosamp /jasper/src/libjasper/base/jas_image.c:1259:10
    #1 0x552883 in jas_image_chclrspc /jasper/src/libjasper/base/jas_image.c:1452:7
    #2 0x514f1a in main /jasper/src/appl/jasper.c:266:20
    #3 0x7ffff6c96f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287
    #4 0x41fd2b in _start (/jasper/tmp/src/appl/jasper+0x41fd2b)

0x6020000003f1 is located 0 bytes to the right of 1-byte region [0x6020000003f0,0x6020000003f1)
allocated by thread T0 here:
    #0 0x4ddfc8 in malloc (/jasper/tmp/src/appl/jasper+0x4ddfc8)
    #1 0x556bb7 in jas_malloc /jasper/src/libjasper/base/jas_malloc.c:241:11
    #2 0x556f8b in jas_alloc2 /jasper/src/libjasper/base/jas_malloc.c:274:9
    #3 0x542b8e in jas_image_growcmpts /jasper/src/libjasper/base/jas_image.c:889:32
    #4 0x5426e4 in jas_image_copy /jasper/src/libjasper/base/jas_image.c:237:6
    #5 0x552840 in jas_image_chclrspc /jasper/src/libjasper/base/jas_image.c:1448:18
    #6 0x514f1a in main /jasper/src/appl/jasper.c:266:20
    #7 0x7ffff6c96f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /jasper/src/libjasper/base/jas_image.c:1259:10 in jas_image_ishomosamp
Shadow bytes around the buggy address:
  0x0c047fff8020: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8030: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8040: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8050: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 01 fa
  0x0c047fff8060: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa fd fd
=>0x0c047fff8070: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa[01]fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

According to the output by AddressSanitizer, I try to analyse with gdb.
by set breadpoint at jas_image_copy

Breakpoint 1, jas_image_copy (image=0x0) at jasper/src/libjasper/base/jas_image.c:229
229	{
(gdb) n
233		if (!(newimage = jas_image_create0())) {
(gdb) n 
237		if (jas_image_growcmpts(newimage, image->numcmpts_)) {
(gdb) p *image 
$5 = {tlx_ = 0, tly_ = 0, brx_ = 0, bry_ = 0, numcmpts_ = 0, maxcmpts_ = 0, cmpts_ = 0x0, clrspc_ = 16384, cmprof_ = 0x0}

as we can see, the image->numcmpts_ is 0, and image->cmpts_ is 0 too.
in jas_image_growcmpts, newcmpts is alloc according the image->numcmpts_ which is 0.
finnaly alloced by pass 0 to malloc which will return a heap address. in the later access in jas_image_ishomosamp

int jas_image_ishomosamp(jas_image_t *image)
{
     ......
	hstep = jas_image_cmpthstep(image, 0);

jas_image_cmpthstep defined in src/libjasper/include/jasper/jas_image.h:383

/* Get the horizontal subsampling factor for a component. */
#define	jas_image_cmpthstep(image, cmptno) \
	((image)->cmpts_[cmptno]->hstep_)   //here will cause the heap over read

poc file:
crash-mif-ras-heap-over-read.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions