Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

10 bugs found by AFLSmart (heap buffer overflows, Null pointer dereference and assertion failures) #182

Closed
thuanpv opened this issue Jul 13, 2018 · 6 comments

Comments

@thuanpv
Copy link

@thuanpv thuanpv commented Jul 13, 2018

Hi all,

These bugs were found with AFLSmart, an input-structure aware extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu.

These bugs were found on Ubuntu 16.04 64-bit -- Jasper revision 573a6e4 (HEAD)

To reproduce:

jasper --input <bug_triggering_file>.jp2 --input-format jp2 --output /dev/null --output-format bmp

Bug triggering files are attached.

Bug-1: Heap Buffer Overflow - Read of size 8 (jasper_bug_1.jp2)

ASAN says:

==58581==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000e9c8 at pc 0x7f888adebb63 bp 0x7ffefa1c9e70 sp 0x7ffefa1c9e60
READ of size 8 at 0x60200000e9c8 thread T0
#0 0x7f888adebb62 in jas_image_depalettize /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994
#1 0x7f888ae0e0ee in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:375
#2 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#3 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#4 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

0x60200000e9c8 is located 8 bytes to the left of 1-byte region [0x60200000e9d0,0x60200000e9d1)
allocated by thread T0 here:
#0 0x7f888b1adec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f888adf17d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f888adf19df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7f888ae0dd61 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:370
#4 0x7f888ade799c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f888aa0582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:994 in jas_image_depalettize

Bug-2: Access Violation (jasper_bug_2.jp2)

ASAN says:

ASAN:DEADLYSIGNAL

==183299==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x7f2b29efed79 bp 0x7ffd5330cb50 sp 0x7ffd5330cac0 T0)
#0 0x7f2b29efed78 in jas_image_readcmpt /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505
#1 0x7f2b29f1b21e in bmp_putdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:324
#2 0x7f2b29f19f71 in bmp_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/bmp/bmp_enc.c:217
#3 0x7f2b29efeb5c in jas_image_encode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:469
#4 0x4024b4 in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:277
#5 0x7f2b29b1c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:505 in jas_image_readcmpt

Bug-3: Heap Buffer Overflow - Write of size 1 (jasper_bug_3.jp2)

ASAN says:

=================================================================
==58646==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000decf at pc 0x7f1939ddb26b bp 0x7ffe58ab9ee0 sp 0x7ffe58ab9ed0
WRITE of size 1 at 0x60200000decf thread T0
#0 0x7f1939ddb26a in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107
#1 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#2 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#3 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#4 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#5 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#6 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

0x60200000decf is located 1 bytes to the left of 1-byte region [0x60200000ded0,0x60200000ded1)
allocated by thread T0 here:
#0 0x7f193a1aaec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7f1939dee7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7f1939ddb0ff in jas_icctxtdesc_input /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1102
#3 0x7f1939dd6523 in jas_iccprof_load /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:340
#4 0x7f1939de21f3 in jas_iccprof_createfrombuf /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1727
#5 0x7f1939e0a213 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:298
#6 0x7f1939de499c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7f1939a0282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_icc.c:1107 in jas_icctxtdesc_input

Bug-4: Null pointer dereference (jasper_bug_4.jp2)

ASAN says:

warning: trailing garbage in marker segment (3 bytes)
warning: trailing garbage in marker segment (32 bytes)
warning: not enough tile data (109 bytes)
warning: number of components mismatch
warning: component data type mismatch

ASAN:DEADLYSIGNAL

==13140==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb64d6cc802 bp 0x7ffce5a16ee0 sp 0x7ffce5a16d40 T0)
#0 0x7fb64d6cc801 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417
#1 0x7fb64d6a599c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fb64d2c382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:417 in jp2_decode

Bug-5: Heap Buffer Overflow -- Read of size 8 (jasper_bug_5.jp2)
ASAN says:

warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: component data type mismatch

==152291==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ed70 at pc 0x7fc92f7873c3 bp 0x7ffe0ef9d3c0 sp 0x7ffe0ef9d3b0
READ of size 8 at 0x60200000ed70 thread T0
#0 0x7fc92f7873c2 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405
#1 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#2 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#3 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401948 in _start (/home/ubuntu/aflsmart-experiments/jasper-asan/afl-build/src/appl/jasper+0x401948)

0x60200000ed71 is located 0 bytes to the right of 1-byte region [0x60200000ed70,0x60200000ed71)
allocated by thread T0 here:
#0 0x7fc92fb26ec0 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6ec0)
#1 0x7fc92f76a7d0 in jas_malloc /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:241
#2 0x7fc92f76a9df in jas_alloc2 /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_malloc.c:274
#3 0x7fc92f78090d in jp2_cdef_getdata /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:479
#4 0x7fc92f77f93c in jp2_box_get /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_cod.c:312
#5 0x7fc92f785495 in jp2_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:159
#6 0x7fc92f76099c in jas_image_decode /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/base/jas_image.c:442
#7 0x40215c in main /home/ubuntu/aflsmart-experiments/jasper-asan/src/appl/jasper.c:236
#8 0x7fc92f37e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:405 in jp2_decode

Bug-6: Assertion Failure (japer_bug_6.jp2)

jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_math.c:94: jpc_floorlog2: Assertion `x > 0' failed.
==16546==
==16546== Process terminating with default action of signal 6 (SIGABRT)
==16546== at 0x523D428: raise (raise.c:54)
==16546== by 0x523F029: abort (abort.c:89)
==16546== by 0x5235BD6: __assert_fail_base (assert.c:92)
==16546== by 0x5235C81: __assert_fail (assert.c:101)
==16546== by 0x4F441EE: jpc_floorlog2 (jpc_math.c:94)
==16546== by 0x4FADB17: jpc_dec_decodepkt (jpc_t2dec.c:314)
==16546== by 0x4FADB17: jpc_dec_decodepkts (jpc_t2dec.c:454)
==16546== by 0x4F21745: jpc_dec_process_sod (jpc_dec.c:627)
==16546== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==16546== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==16546== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==16546== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==16546== by 0x401C34: main (jasper.c:236)

Bug-7: SIGABRT - Aborted (jasper_bug_7.jp2)

==28280== Process terminating with default action of signal 6 (SIGABRT)
==28280== at 0x523D428: raise (raise.c:54)
==28280== by 0x523F029: abort (abort.c:89)
==28280== by 0x4F262E8: jpc_dec_process_sot (jpc_dec.c:488)
==28280== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==28280== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==28280== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==28280== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==28280== by 0x401C34: main (jasper.c:236)

Bug-8: Assertion failure (jasper_bug_8.jp2)
Error message:

warning: not enough tile data (394 bytes)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
ICC Profile CS 47524159
jasper: /home/ubuntu/aflsmart-experiments/jasper-asan/src/libjasper/jp2/jp2_dec.c:308: jp2_decode: Assertion `dec->image->cmprof_' failed.
Aborted

Stack trace:
==33135== Process terminating with default action of signal 6 (SIGABRT)
==33135== at 0x523D428: raise (raise.c:54)
==33135== by 0x523F029: abort (abort.c:89)
==33135== by 0x5235BD6: __assert_fail_base (assert.c:92)
==33135== by 0x5235C81: __assert_fail (assert.c:101)
==33135== by 0x4EFC8E6: jp2_decode (jp2_dec.c:308)
==33135== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==33135== by 0x401C34: main (jasper.c:236)

Bug-9: Assertion failure (japser_bug_9.jp2)

Valgrind says:
warning: trailing garbage in marker segment (30 bytes)
warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 ff 5f 61 74 80 00 00 00 79 28 00 10 65 88 4a 50 45 47 20 5e 65 72 73 51 6f 6e 20 32 2e 33 2e 30 jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1703: calcstepsizes: Assertion `!((expn + (numrlvls - 1) - (numrlvls - 1 - ((bandno > 0) ? ((bandno + 2) / 3) : (0)))) & (~0x1f))' failed.
==109382==
==109382== Process terminating with default action of signal 6 (SIGABRT)
==109382== at 0x523D428: raise (raise.c:54)
==109382== by 0x523F029: abort (abort.c:89)
==109382== by 0x5235BD6: __assert_fail_base (assert.c:92)
==109382== by 0x5235C81: __assert_fail (assert.c:101)
==109382== by 0x4F24B2A: calcstepsizes (jpc_dec.c:1702)
==109382== by 0x4F24B2A: jpc_dec_cp_prepare (jpc_dec.c:1721)
==109382== by 0x4F24B2A: jpc_dec_process_sod (jpc_dec.c:592)
==109382== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==109382== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==109382== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==109382== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==109382== by 0x401C34: main (jasper.c:236)

Bug-10: Assertion Failure (jasper_bug_10.jp2)

warning: ignoring unknown marker segment (0xff68)
type = 0xff68 (UNKNOWN); len = 37;00 01 43 72 65 61 74 10 64 20 62 79 20 00 10 65 6e 4a 50 45 47 20 5e 65 72 73 69 6f 6e 20 32 2e 33 2e 30 warning: not enough tile data (5 bytes)

warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)
warning: forcing negative ROI shift to zero (bitstream is probably corrupt)

jasper: /home/ubuntu/aflsmart-experiments/jasper/src/libjasper/jpc/jpc_dec.c:1883: jpc_dequantize: Assertion `absstepsize >= 0' failed.
==135670==
==135670== Process terminating with default action of signal 6 (SIGABRT)
==135670== at 0x523D428: raise (raise.c:54)
==135670== by 0x523F029: abort (abort.c:89)
==135670== by 0x5235BD6: __assert_fail_base (assert.c:92)
==135670== by 0x5235C81: __assert_fail (assert.c:101)
==135670== by 0x4F12FBE: jpc_dequantize (jpc_dec.c:1883)
==135670== by 0x4F12FBE: jpc_dec_tiledecode (jpc_dec.c:1107)
==135670== by 0x4F22B34: jpc_dec_process_sod (jpc_dec.c:657)
==135670== by 0x4F1C938: jpc_dec_decode (jpc_dec.c:424)
==135670== by 0x4F1C938: jpc_decode (jpc_dec.c:261)
==135670== by 0x4EF832A: jp2_decode (jp2_dec.c:218)
==135670== by 0x4EA95B3: jas_image_decode (jas_image.c:442)
==135670== by 0x401C34: main (jasper.c:236)

Regards,

Thuan

jasper_bugs.zip

@asarubbo
Copy link

@asarubbo asarubbo commented Nov 8, 2018

@thuanpv is AFLSmart publicly available?

Loading

@thuanpv
Copy link
Author

@thuanpv thuanpv commented Nov 10, 2018

Thanks @asarubbo for your interest in AFLSmart. It is not publicly available yet. We would make it open source soon and I will keep you posted.

Loading

@apoleon
Copy link

@apoleon apoleon commented Jan 3, 2019

I had a look at these issues a while ago and I came up with some simple patches suitable for backports to older versions of jasper. They may be too simple but I could successfully prevent the NULL pointer dereferences and heap-based overflows.

Bug 2: CVE-2018-19539

The assertion is triggered because data == NULL.

https://gist.github.com/apoleon/7c0f3a0c28437c18fee8a51b1aa16164

Bug 4: CVE-2018-19542

The function jp2_getct returns a NULL pointer. I did not look into this further but the crash can be prevented by adding this check.

https://gist.github.com/apoleon/701d7db34d63faa16463935b1465c74e

Bug 3: CVE-2018-19540:

If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.

https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823

Bug 1: CVE-2018-19541:

The index v of lutents[v] will be negative if numlutents is smaller than 1.
This causes the heap-based buffer overflow because the lutents array starts at 0.

https://gist.github.com/apoleon/3e9d4e86c51d16c7e551a1cc538528b9

Bug 5: CVE-2018-19543:

The bug appears to be related to CVE-2014-8138. I can reproduce this issue with ASAN. However without ASAN the guard in jp2_decode works as expected.

/* Is the channel number reasonable? */
if (dec->cdef->data.cdef.ents[i].channo >= dec->numchans) {
jas_eprintf("error: invalid channel number in CDEF box\n");
goto error;
}

dec->cdef->data.cdef.ents[i].channo is much larger than dec->numchans and we goto error. I fail to understand why ASAN thinks this one causes a heap-based overflow, might be a false-positive.

Loading

@thuanpv
Copy link
Author

@thuanpv thuanpv commented Feb 4, 2019

FYI, AFLSmart now is available at https://github.com/aflsmart/aflsmart

Loading

jubalh added a commit to jubalh/jasper that referenced this issue Mar 15, 2019
Regards CVE-2018-19542.
Regards jasper-software#182.

Adapted fix from Markus Koschany <apo@debian.org>.
From https://gist.github.com/apoleon/701d7db34d63faa16463935b1465c74e
jubalh added a commit to jubalh/jasper that referenced this issue Mar 15, 2019
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.

Regards CVE-2018-19540.
Regards jasper-software#182 bug#3
Fix by Markus Koschany <apo@debian.org>.
From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
jubalh added a commit to jubalh/jasper that referenced this issue Mar 15, 2019
The index v of lutents[v] will be negative if numlutents is smaller than 1.
This causes the heap-based buffer overflow because the lutents[] starts at 0.

Regards CVE-2018-19541.
Regards jasper-software#182 bug#1
Fix by Markus Koschany apo@debian.org.
From https://gist.github.com/apoleon/3e9d4e86c51d16c7e551a1cc538528b9
@theta682
Copy link
Contributor

@theta682 theta682 commented Mar 18, 2019

Fix for CVE-2018-19542 is incorrect it breaks support of correct .jp2 files bug-19542.jp2.zip. Please, see my PR #200.

Loading

@jubalh jubalh mentioned this issue Jul 3, 2019
jubalh added a commit to jasper-maint/jasper that referenced this issue Jun 15, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.

Regards CVE-2018-19540.
Regards jasper-software/jasper#182 bug#3
Fix by Markus Koschany <apo@debian.org>.
From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823

See: jasper-software/jasper#198
Fix #22
jubalh added a commit to jasper-maint/jasper that referenced this issue Jun 16, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.

Regards CVE-2018-19540.
Regards jasper-software/jasper#182 bug#3
Fix by Markus Koschany <apo@debian.org>.
From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823

See: jasper-software/jasper#198
Fix #22
jubalh added a commit to jasper-maint/jasper that referenced this issue Jun 18, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.

Regards CVE-2018-19540.
Regards jasper-software/jasper#182 bug#3
Fix by Markus Koschany <apo@debian.org>.
From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
Location adapted.

See: jasper-software/jasper#198
Fix #22
jubalh added a commit to jasper-maint/jasper that referenced this issue Jun 19, 2020
If txtdesc->asclen is < 1, the array index of txtdesc->ascdata will be negative which causes the heap based overflow.

Regards CVE-2018-19540.
Regards jasper-software/jasper#182 bug#3
Fix by Markus Koschany <apo@debian.org>.
From https://gist.github.com/apoleon/13598a45bf6522f6a79b77a629205823
Location adapted.

See: jasper-software/jasper#198
Fix #22
jubalh added a commit to jasper-maint/jasper that referenced this issue Jun 19, 2020
@MaxKellermann
Copy link
Contributor

@MaxKellermann MaxKellermann commented Jun 28, 2020

Since this project has been mostly dead for several years, we created a fork which aims to fix all vulnerabilities (of which there are many).
This bug will be fixed by jasper-maint/jasper#38 (merge pending)

Loading

@jubalh jubalh closed this in 839b1bc Jul 28, 2020
jubalh added a commit to jubalh/buildroot that referenced this issue Jul 28, 2020
Changes:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix jasper-software/jasper#207

* Fix jasper-software/jasper#194 part 1

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

* New option -DJAS_ENABLE_HIDDEN=true to not export internal symbols in the public symbol table

* Fix various memory leaks

* Plenty of code cleanups, and performance improvements
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Aug 3, 2020
Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts pushed a commit to woodsts/buildroot that referenced this issue Aug 18, 2020
Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0f7b24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
woodsts pushed a commit to woodsts/buildroot that referenced this issue Aug 18, 2020
Fixes the following security issues:
* Fix CVE-2018-9154
  jasper-software/jasper#215
  jasper-software/jasper#166
  jasper-software/jasper#175
  jasper-maint/jasper#8

* Fix CVE-2018-19541
  jasper-software/jasper#199
  jasper-maint/jasper#6

* Fix CVE-2016-9399, CVE-2017-13751
  jasper-maint/jasper#1

* Fix CVE-2018-19540
  jasper-software/jasper#182
  jasper-maint/jasper#22

* Fix CVE-2018-9055
  jasper-maint/jasper#9

* Fix CVE-2017-13748
  jasper-software/jasper#168

* Fix CVE-2017-5503, CVE-2017-5504, CVE-2017-5505
  jasper-maint/jasper#3
  jasper-maint/jasper#4
  jasper-maint/jasper#5
  jasper-software/jasper#88
  jasper-software/jasper#89
  jasper-software/jasper#90

* Fix CVE-2018-9252
  jasper-maint/jasper#16

* Fix CVE-2018-19139
  jasper-maint/jasper#14

* Fix CVE-2018-19543, CVE-2017-9782
  jasper-maint/jasper#13
  jasper-maint/jasper#18
  jasper-software/jasper#140
  jasper-software/jasper#182

* Fix CVE-2018-20570
  jasper-maint/jasper#11
  jasper-software/jasper#191

* Fix CVE-2018-20622
  jasper-maint/jasper#12
  jasper-software/jasper#193

* Fix CVE-2016-9398
  jasper-maint/jasper#10

* Fix CVE-2017-14132
  jasper-maint/jasper#17

* Fix CVE-2017-5499
  jasper-maint/jasper#2
  jasper-software/jasper#63

* Fix CVE-2018-18873
  jasper-maint/jasper#15
  jasper-software/jasper#184

* Fix CVE-2017-13750
  jasper-software/jasper#165
  jasper-software/jasper#174

Furthermore, drop now upstreamed patches and change to the new
jasper-software upstream location.

Signed-off-by: Michael Vetter <jubalh@iodoru.org>
[Peter: reword for security bump]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit d0f7b24)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

5 participants